lzhr/v2fly
1
0
Fork 0
mirror of https://github.com/v2fly/v2ray-core.git synced 2024-06-10 09:50:43 +00:00
Code Issues Releases Wiki Activity

Fix: security issues & overflow potentiality (#465)

Browse Source
This commit is contained in:
Loyalsoldier 2020-11-28 21:56:20 +08:00 committed by GitHub
parent 0bf185e705
commit 8cb2db5321
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 31 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
common/crypto/auth.go
View File

@ -8,6 +8,7 @@ import (
"v2ray.com/core/common"
"v2ray.com/core/common/buf"
"v2ray.com/core/common/bytespool"
"v2ray.com/core/common/errors"
"v2ray.com/core/common/protocol"
)
@ -278,7 +279,11 @@ func (w *AuthenticationWriter) writeStream(mb buf.MultiBuffer) error {
}
payloadSize := buf.Size - int32(w.auth.Overhead()) - w.sizeParser.SizeBytes() - maxPadding
mb2Write := make(buf.MultiBuffer, 0, len(mb)+10)
if len(mb)+10 > 64*1024*1024 {
return errors.New("value too large")
}
sliceSize := len(mb) + 10
mb2Write := make(buf.MultiBuffer, 0, sliceSize)
temp := buf.New()
defer temp.Release()
@ -307,7 +312,11 @@ func (w *AuthenticationWriter) writeStream(mb buf.MultiBuffer) error {
func (w *AuthenticationWriter) writePacket(mb buf.MultiBuffer) error {
defer buf.ReleaseMulti(mb)
mb2Write := make(buf.MultiBuffer, 0, len(mb)+1)
if len(mb)+1 > 64*1024*1024 {
return errors.New("value too large")
}
sliceSize := len(mb) + 1
mb2Write := make(buf.MultiBuffer, 0, sliceSize)
for _, b := range mb {
if b.IsEmpty() {

7
common/mux/writer.go
View File

@ -3,6 +3,7 @@ package mux
import (
"v2ray.com/core/common"
"v2ray.com/core/common/buf"
"v2ray.com/core/common/errors"
"v2ray.com/core/common/net"
"v2ray.com/core/common/protocol"
"v2ray.com/core/common/serial"
@ -70,7 +71,11 @@ func writeMetaWithFrame(writer buf.Writer, meta FrameMetadata, data buf.MultiBuf
return err
}
mb2 := make(buf.MultiBuffer, 0, len(data)+1)
if len(data)+1 > 64*1024*1024 {
return errors.New("value too large")
}
sliceSize := len(data) + 1
mb2 := make(buf.MultiBuffer, 0, sliceSize)
mb2 = append(mb2, frame)
mb2 = append(mb2, data...)
return writer.WriteMultiBuffer(mb2)

7
common/net/connection.go
View File

@ -9,6 +9,7 @@ import (
"v2ray.com/core/common"
"v2ray.com/core/common/buf"
"v2ray.com/core/common/errors"
"v2ray.com/core/common/signal/done"
)
@ -109,8 +110,12 @@ func (c *connection) Write(b []byte) (int, error) {
return 0, io.ErrClosedPipe
}
if len(b)/buf.Size+1 > 64*1024*1024 {
return 0, errors.New("value too large")
}
l := len(b)
mb := make(buf.MultiBuffer, 0, l/buf.Size+1)
sliceSize := l/buf.Size + 1
mb := make(buf.MultiBuffer, 0, sliceSize)
mb = buf.MergeBytes(mb, b)
return l, c.writer.WriteMultiBuffer(mb)
}

2
common/protocol/http/headers.go
View File

@ -57,7 +57,7 @@ func ParseHost(rawHost string, defaultPort net.Port) (net.Destination, error) {
return net.Destination{}, err
}
} else if len(rawPort) > 0 {
intPort, err := strconv.Atoi(rawPort)
intPort, err := strconv.ParseUint(rawPort, 0, 16)
if err != nil {
return net.Destination{}, err
}

8
proxy/vless/encoding/addons.go
View File

@ -7,6 +7,7 @@ import (
"github.com/golang/protobuf/proto"
"v2ray.com/core/common/buf"
"v2ray.com/core/common/errors"
"v2ray.com/core/common/protocol"
)
@ -67,7 +68,12 @@ type MultiLengthPacketWriter struct {
func (w *MultiLengthPacketWriter) WriteMultiBuffer(mb buf.MultiBuffer) error {
defer buf.ReleaseMulti(mb)
mb2Write := make(buf.MultiBuffer, 0, len(mb)+1)
if len(mb)+1 > 64*1024*1024 {
return errors.New("value too large")
}
sliceSize := len(mb) + 1
mb2Write := make(buf.MultiBuffer, 0, sliceSize)
for _, b := range mb {
length := b.Len()
if length == 0 || length+2 > buf.Size {