fix: break out of reading from the association if we can't get to relay (#245)

* fix: return early on failure to upgrade

* fix: add `ERR_READ` connection errors to track non-closure errors

* Close the association on invalid ciphers and packets to release resources.

* Break out of the association `Read()` loop on non-close read errors.

* Add `nil` checks.

* Simplify breaking out of the read loop for all initial packet errors.

* Simplify further by just checking the `targetConn`.

* Remove unnecessary `clientConn.Close()`.

* Improve comment slightly.

Author: sbruens

service/udp.go

@@ -170,6 +170,11 @@ func (h *associationHandler) HandleAssociation(ctx context.Context, clientConn n
 		var proxyTargetBytes int
 
 		connError := func() *onet.ConnectionError {
+			// Error from `clientConn.Read()`.
+			if err != nil {
+				return onet.NewConnectionError("ERR_READ", "Failed to read from association", err)
+			}
+
 			var payload []byte
 			var tgtUDPAddr *net.UDPAddr
 			if targetConn == nil {
@@ -233,6 +238,11 @@ func (h *associationHandler) HandleAssociation(ctx context.Context, clientConn n
 			status = connError.Status
 		}
 		assocMetrics.AddPacketFromClient(status, int64(clientProxyBytes), int64(proxyTargetBytes))
+		if targetConn == nil {
+			// If there's still no target connection, we didn't authenticate. Break out of handling the
+			// association here so resources can be released.
+			break
+		}
 	}
 }