only check for stateless resets if packet doesn't belong to a connection (#4322)

This technically violates the stateless reset handling logic described in RFC 9000 section 10.3.1 (see comment), but it saves one map lookup in the hot path.
2025-04-03 20:27:35 +03:00 · 2024-02-09 15:15:58 +07:00 · 2024-02-09 15:15:58 +07:00 · 4790797b58
commit 4790797b58
parent 02e4506c3b
2 changed files with 17 additions and 6 deletions
--- a/transport.go
+++ b/transport.go
@ -426,13 +426,21 @@ func (t *Transport) handlePacket(p receivedPacket) {
 		return
 	}

-	if isStatelessReset := t.maybeHandleStatelessReset(p.data); isStatelessReset {
-		return
-	}
+	// If there's a connection associated with the connection ID, pass the packet there.
 	if handler, ok := t.handlerMap.Get(connID); ok {
 		handler.handlePacket(p)
 		return
 	}
+	// RFC 9000 section 10.3.1 requires that the stateless reset detection logic is run for both
+	// packets that cannot be associated with any connections, and for packets that can't be decrypted.
+	// We deviate from the RFC and ignore the latter: If a packet's connection ID is associated with an
+	// existing connection, it is dropped there if if it can't be decrypted.
+	// Stateless resets use random connection IDs, and at reasonable connection ID lengths collisions are
+	// exceedingly rare. In the unlikely event that a stateless reset is misrouted to an existing connection,
+	// it is to be expected that the next stateless reset will be correctly detected.
+	if isStatelessReset := t.maybeHandleStatelessReset(p.data); isStatelessReset {
+		return
+	}
 	if !wire.IsLongHeaderPacket(p.data[0]) {
 		t.maybeSendStatelessReset(p)
 		return
--- a/transport_test.go
+++ b/transport_test.go
@ -205,7 +205,6 @@ var _ = Describe("Transport", func() {
 		b = append(b, token[:]...)
 		conn := NewMockPacketHandler(mockCtrl)
 		gomock.InOrder(
-			phm.EXPECT().GetByResetToken(token),
 			phm.EXPECT().Get(connID).Return(conn, true),
 			conn.EXPECT().handlePacket(gomock.Any()).Do(func(p receivedPacket) {
 				Expect(p.data).To(Equal(b))
@ -223,7 +222,10 @@ var _ = Describe("Transport", func() {
 	It("handles stateless resets", func() {
 		connID := protocol.ParseConnectionID([]byte{2, 3, 4, 5})
 		packetChan := make(chan packetToRead)
-		tr := Transport{Conn: newMockPacketConn(packetChan)}
+		tr := Transport{
+			Conn:               newMockPacketConn(packetChan),
+			ConnectionIDLength: connID.Len(),
+		}
 		tr.init(true)
 		defer tr.Close()
 		phm := NewMockPacketHandlerManager(mockCtrl)
@ -239,6 +241,7 @@ var _ = Describe("Transport", func() {
 		conn := NewMockPacketHandler(mockCtrl)
 		destroyed := make(chan struct{})
 		gomock.InOrder(
+			phm.EXPECT().Get(connID),
 			phm.EXPECT().GetByResetToken(token).Return(conn, true),
 			conn.EXPECT().destroy(gomock.Any()).Do(func(err error) {
 				Expect(err).To(MatchError(&StatelessResetError{Token: token}))
@ -277,8 +280,8 @@ var _ = Describe("Transport", func() {
 		rand.Read(token[:])
 		written := make(chan struct{})
 		gomock.InOrder(
-			phm.EXPECT().GetByResetToken(gomock.Any()),
 			phm.EXPECT().Get(connID),
+			phm.EXPECT().GetByResetToken(gomock.Any()),
 			phm.EXPECT().GetStatelessResetToken(connID).Return(token),
 			conn.EXPECT().WriteTo(gomock.Any(), gomock.Any()).Do(func(b []byte, _ net.Addr) (int, error) {
 				defer close(written)