From 155b9fb45061ba8f0008bb4ca0cd086cf771afe8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nerijus=20Bend=C5=BEi=C5=ABnas?= Date: Sat, 4 Jul 2026 20:59:08 +0300 Subject: [PATCH 1/2] docs(cli): state the v2 chunk-size bound in --chunk help MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The help promised 1–65500 unconditionally, but --verify reserves 32 bytes per chunk for the hash, so its real maximum is 65468 — only the error message admitted it. Signed-off-by: Nerijus Bendžiūnas --- src/cli.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cli.rs b/src/cli.rs index 54672f7..ea5f0c4 100644 --- a/src/cli.rs +++ b/src/cli.rs @@ -55,7 +55,7 @@ struct SendArgs { #[arg(long, value_name = "KIB/S", default_value_t = 512)] bw: u64, - /// Chunk size (1–65500) + /// Chunk size (1–65500; max 65468 with --verify) #[arg(long, value_name = "BYTES", default_value_t = DEFAULT_CHUNK_SIZE)] chunk: u32, From 92f5337bc3b3c743ecd1a465bdbf2792ed8f3de1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nerijus=20Bend=C5=BEi=C5=ABnas?= Date: Sat, 4 Jul 2026 21:05:21 +0300 Subject: [PATCH 2/2] docs: state the trust model in the README MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit A public tool should say out loud that the protocol is unauthenticated and unencrypted: anyone who can reach the port can write files into the receiver's directory, and the SHA-256 is sender-supplied so it only guards against transport corruption. Points at WireGuard-style tunnels and the planned PSK INIT authentication. Signed-off-by: Nerijus Bendžiūnas --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index 711a554..4da16fa 100644 --- a/README.md +++ b/README.md @@ -212,6 +212,22 @@ goes back to listening. Without `--serve` the same failure exits with an error. udpcp recv 9000 --serve # loop indefinitely ``` +## Security model + +udpcp has no authentication or encryption. Any host that can reach the +receiver's UDP port can deliver a file: the filename is sanitized (path +components and control characters are rejected), but the content and its +SHA-256 are supplied by the sender — the integrity check protects against +transport corruption, not against a malicious peer. A sender can create or +overwrite `` and `.tmp` in the receiver's working directory (or +the explicit output path). + +Run the receiver only on trusted networks or inside an encrypted tunnel such +as WireGuard. + +> **Planned**: pre-shared-key INIT authentication (HMAC-SHA256 over the INIT +> payload) so a receiver only accepts transfers from peers holding the key. + ## MTU tuning Link MTU varies by path. Standard Ethernet is 1500 B; some paths are as low