Skip to main content

Module fragmentation

Module fragmentation 

Source
Available on crate feature std only.
Expand description

UDP fragmentation and reassembly with anti-DoS bounds.

A logical packet larger than MAX_UDP_PAYLOAD is split into CryptoFrame chunks by fragment_payload and reassembled by FragmentAssembler. Because the wire is unreliable, unordered UDP, the assembler buffers partial assemblies keyed on (session_id, packet_id) and completes a packet once every chunk index has arrived.

The reassembler is the only stateful, attacker-reachable buffer in the fragmentation path, so every input is bounds-checked: a bad fragment is silently dropped (never an error). The three caps below (MAX_REASSEMBLED_LEN, MAX_TOTAL_CHUNKS, MAX_CONCURRENT_ASSEMBLIES) plus the M-7 insert-if-absent rule bound the memory a peer can pin and stop a spoofed-key attacker from corrupting a victim’s reassembly.

This module is target-agnostic; the production PhantomUDP transport reuses it via transport::phantom_udp::datagram.

Structs§

CryptoFrame
A single chunk of a fragmented logical packet.
FragmentAssembler

Constants§

MAX_CONCURRENT_ASSEMBLIES
Maximum number of in-flight (incomplete) assemblies tracked at once. Caps the memory an attacker can pin by spraying chunks across many distinct (session_id, packet_id) keys without ever completing a packet. The worst-case resident memory is therefore bounded by MAX_CONCURRENT_ASSEMBLIES * MAX_REASSEMBLED_LEN (≈ 64 MiB).
MAX_REASSEMBLED_LEN
Largest logical packet the assembler will reassemble. Bounds the memory a single (session_id, packet_id) assembly can pin: at most MAX_TOTAL_CHUNKS chunks of MAX_UDP_PAYLOAD bytes each.
MAX_TOTAL_CHUNKS
Maximum fragments per logical packet, derived from the reassembled-size cap. A frame declaring more than this (up to the u16::MAX the wire allows) is dropped, so an attacker cannot force a 65 535-entry chunk map.

Functions§

fragment_payload
Split a large payload into CryptoFrame chunks