Guard MSS clamp precompute against MTU smaller than TCP/IP header overhead

2026-05-05 00:26:39 +00:00 · 2026-05-04 11:52:16 +02:00
parent 5cb82b26c8
commit d8a5bdab88
1 changed files with 10 additions and 2 deletions
--- a/client/firewall/uspfilter/filter.go
+++ b/client/firewall/uspfilter/filter.go
@@ -275,8 +275,12 @@ func create(iface common.IFaceMapper, nativeFirewall firewall.Manager, disableSe

 	if !disableMSSClamping {
 		m.mssClampEnabled = true
-		m.mssClampValueIPv4 = mtu - ipv4TCPHeaderMinSize
-		m.mssClampValueIPv6 = mtu - ipv6TCPHeaderMinSize
+		if mtu > ipv4TCPHeaderMinSize {
+			m.mssClampValueIPv4 = mtu - ipv4TCPHeaderMinSize
+		}
+		if mtu > ipv6TCPHeaderMinSize {
+			m.mssClampValueIPv6 = mtu - ipv6TCPHeaderMinSize
+		}
 	}
 	if err := m.localipmanager.UpdateLocalIPs(iface); err != nil {
 		return nil, fmt.Errorf("update local IPs: %w", err)
@@ -862,6 +866,10 @@ func (m *Manager) clampTCPMSS(packetData []byte, d *decoder) bool {
 		return false
 	}

+	if mssClampValue == 0 {
+		return false
+	}
+
 	mssOptionIndex := -1
 	var currentMSS uint16
 	for i, opt := range d.tcp.Options {