From 962155844aed338b15b5d322212e87102b00e096 Mon Sep 17 00:00:00 2001
From: Sander Bruens <sbruens@users.noreply.github.com>
Date: Wed, 26 Feb 2025 23:13:36 -0500
Subject: [PATCH] fix: break out of reading from the association if we can't
 get to relay (#245)

* fix: return early on failure to upgrade

* fix: add `ERR_READ` connection errors to track non-closure errors

* Close the association on invalid ciphers and packets to release resources.

* Break out of the association `Read()` loop on non-close read errors.

* Add `nil` checks.

* Simplify breaking out of the read loop for all initial packet errors.

* Simplify further by just checking the `targetConn`.

* Remove unnecessary `clientConn.Close()`.

* Improve comment slightly.
---
 service/udp.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/service/udp.go b/service/udp.go
index 438fbdfe..ee4c44de 100644
--- a/service/udp.go
+++ b/service/udp.go
@@ -170,6 +170,11 @@ func (h *associationHandler) HandleAssociation(ctx context.Context, clientConn n
 		var proxyTargetBytes int
 
 		connError := func() *onet.ConnectionError {
+			// Error from `clientConn.Read()`.
+			if err != nil {
+				return onet.NewConnectionError("ERR_READ", "Failed to read from association", err)
+			}
+
 			var payload []byte
 			var tgtUDPAddr *net.UDPAddr
 			if targetConn == nil {
@@ -233,6 +238,11 @@ func (h *associationHandler) HandleAssociation(ctx context.Context, clientConn n
 			status = connError.Status
 		}
 		assocMetrics.AddPacketFromClient(status, int64(clientProxyBytes), int64(proxyTargetBytes))
+		if targetConn == nil {
+			// If there's still no target connection, we didn't authenticate. Break out of handling the
+			// association here so resources can be released.
+			break
+		}
 	}
 }