fix(connlib): handle null-termination of TUN device path string correctly (#3449)

Credit to @Intuinewin from #3445 --------- Signed-off-by: Thomas Eizinger <thomas@eizinger.io> Co-authored-by: Thomas Eizinger <thomas@eizinger.io>
2026-01-27 18:18:55 +00:00 · 2024-01-30 17:49:51 -08:00
parent ab7c947d0f
commit cd1f047575
1 changed files with 5 additions and 2 deletions
--- a/rust/connlib/tunnel/src/device_channel/tun_linux.rs
+++ b/rust/connlib/tunnel/src/device_channel/tun_linux.rs
@@ -15,6 +15,7 @@ use std::net::IpAddr;
 use std::path::Path;
 use std::task::{Context, Poll};
 use std::{
+    ffi::CStr,
    fmt, fs, io,
    os::{
        fd::{AsRawFd, RawFd},
@@ -29,13 +30,15 @@ pub(crate) const SIOCGIFMTU: libc::c_ulong = libc::SIOCGIFMTU;

 const IFACE_NAME: &str = "tun-firezone";
 const TUNSETIFF: libc::c_ulong = 0x4004_54ca;
-const TUN_FILE: &[u8] = b"/dev/net/tun\0";
 const TUN_DEV_MAJOR: u32 = 10;
 const TUN_DEV_MINOR: u32 = 200;
 const RT_PROT_STATIC: u8 = 4;
 const DEFAULT_MTU: u32 = 1280;
 const FILE_ALREADY_EXISTS: i32 = -17;

+// Safety: We know that this is a valid C string.
+const TUN_FILE: &CStr = unsafe { CStr::from_bytes_with_nul_unchecked(b"/dev/net/tun\0") };
+
 pub struct Tun {
    handle: Handle,
    connection: tokio::task::JoinHandle<()>,
@@ -242,7 +245,7 @@ fn set_non_blocking(fd: RawFd) -> Result<()> {
 }

 fn create_tun_device() -> Result<()> {
-    let path = Path::new(std::str::from_utf8(TUN_FILE).unwrap());
+    let path = Path::new(TUN_FILE.to_str().expect("path is valid utf-8"));

    if path.exists() {
        return Ok(());