quinn-udp: sanitise segment_size

thomaseizinger · djc · commit 6b901a3c278f · 2025-04-30T20:23:14.000Z
In order to perform GSO, an application needs to batch datagrams together into a big buffer. As part of such a batch, the last datagram is allowed to be less than the `segment_size` as that still allows the kernel to unambigously segment the content into individual packets. When GSO gets disabled at runtime due to lack of driver support, applications need to segment such a prepared batch themselves into individual `Transmit`s. Doing that may lead to situations in which a `Transmit` is handed to `quinn-udp` which still has the original `segment_size` set, yet its content is shorter than that. Not all kernels like that. Specifically, it has been observed that Android is particularly picky about these parameters. We already sanitise the `segment_size` such that it is not set when it is equal to the content length. To further increase the robustness of `quinn-udp`, we extend this check to only set it when it is strictly less than the content length. Related: #2201 Related: #2145 Related: firezone/firezone#8932
diff --git a/quinn-udp/src/unix.rs b/quinn-udp/src/unix.rs
@@ -612,11 +612,13 @@ fn prepare_msg(
         encoder.push(libc::IPPROTO_IPV6, libc::IPV6_TCLASS, ecn);
     }
 
-    // Only set the segment size if it is different from the size of the contents.
-    // Some network drivers don't like being told to do GSO even if there is effectively only a single segment.
+    // Only set the segment size if it is less than the size of the contents.
+    // Some network drivers don't like being told to do GSO even if there is effectively only a single segment (i.e. `segment_size == transmit.contents.len()`)
+    // Additionally, a `segment_size` that is greater than the content also means there is effectively only a single segment.
+    // This case is actually quite common when splitting up a prepared GSO batch again after GSO has been disabled because the last datagram in a GSO batch is allowed to be smaller than the segment size.
     if let Some(segment_size) = transmit
         .segment_size
-        .filter(|segment_size| *segment_size != transmit.contents.len())
+        .filter(|segment_size| *segment_size < transmit.contents.len())
     {
         gso::set_segment_size(&mut encoder, segment_size as u16);
     }

Original file line number	Diff line number	Diff line change
`@@ -612,11 +612,13 @@ fn prepare_msg(`
`612`	`612`	`encoder.push(libc::IPPROTO_IPV6, libc::IPV6_TCLASS, ecn);`
`613`	`613`	`}`
`614`	`614`
`615`		`- // Only set the segment size if it is different from the size of the contents.`
`616`		`- // Some network drivers don't like being told to do GSO even if there is effectively only a single segment.`
	`615`	`+ // Only set the segment size if it is less than the size of the contents.`
	`616`	+ // Some network drivers don't like being told to do GSO even if there is effectively only a single segment (i.e. `segment_size == transmit.contents.len()`)
	`617`	+ // Additionally, a `segment_size` that is greater than the content also means there is effectively only a single segment.
	`618`	`+ // This case is actually quite common when splitting up a prepared GSO batch again after GSO has been disabled because the last datagram in a GSO batch is allowed to be smaller than the segment size.`
`617`	`619`	`if let Some(segment_size) = transmit`
`618`	`620`	`.segment_size`
`619`		`- .filter(\|segment_size\| *segment_size != transmit.contents.len())`
	`621`	`+ .filter(\|segment_size\| *segment_size < transmit.contents.len())`
`620`	`622`	`{`
`621`	`623`	`gso::set_segment_size(&mut encoder, segment_size as u16);`
`622`	`624`	`}`