Fix and improve #169

- Use constants - Check packet length for OOB read - Replace assertion with logging
2020-05-08 20:30:17 +02:00 · 2020-05-08 20:30:17 +02:00 · 60213bafb8
parent aa580240b8
commit 60213bafb8
2 changed files with 27 additions and 10 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## Unreleased
+
+- Fix IPv6 traffic broken on Mojave. [#146](https://github.com/passepartoutvpn/tunnelkit/issues/146), [#169](https://github.com/passepartoutvpn/tunnelkit/pull/169)
+
 ## 2.2.3 (2019-04-21)

 ### Changed
--- a/TunnelKit/Sources/AppExtension/Transport/NETunnelInterface.swift
+++ b/TunnelKit/Sources/AppExtension/Transport/NETunnelInterface.swift
@ -36,13 +36,24 @@

 import Foundation
 import NetworkExtension
+import SwiftyBeaver
+
+private let log = SwiftyBeaver.self

 /// `TunnelInterface` implementation via NetworkExtension.
 public class NETunnelInterface: TunnelInterface {
-    private weak var impl: NEPacketTunnelFlow?
+    private static let ipV4: UInt8 = 4
    
-    private static let protocolNumberForIPv4 = NSNumber(value: AF_INET)
-    private static let protocolNumberForIPv6 = NSNumber(value: AF_INET6)
+    private static let ipV6: UInt8 = 6
+    
+    private static let protocolNumbers: [UInt8: NSNumber] = [
+        ipV4: NSNumber(value: AF_INET),
+        ipV6: NSNumber(value: AF_INET6)
+    ]
+
+    private static let fallbackProtocolNumber = protocolNumbers[ipV4]!
+
+    private weak var impl: NEPacketTunnelFlow?
    
    /// :nodoc:
    public init(impl: NEPacketTunnelFlow) {
@ -91,16 +102,18 @@ public class NETunnelInterface: TunnelInterface {
    }

    private static func ipProtocolNumber(inPacket packet: Data) -> NSNumber {
+        guard !packet.isEmpty else {
+            return fallbackProtocolNumber
+        }
+
        // 'packet' contains the decrypted incoming IP packet data

        // The first 4 bits identify the IP version
-        let ipVersion = ((packet[0] & 0xf0) >> 4)
-        assert(ipVersion == 4 || ipVersion == 6)
-
-        if ipVersion == 6 {
-            return NETunnelInterface.protocolNumberForIPv6
-        } else {
-            return NETunnelInterface.protocolNumberForIPv4
-        }
+        let ipVersion = (packet[0] & 0xf0) >> 4
+        guard let protocolNumber = protocolNumbers[ipVersion] else {
+            log.warning("Unrecognized IP version (\(ipVersion))")
+            return fallbackProtocolNumber
+        }
+        return protocolNumber
    }
 }