From 8cb2db53216e52b2db2ec3d72925b475dc6d6e06 Mon Sep 17 00:00:00 2001
From: Loyalsoldier <10487845+Loyalsoldier@users.noreply.github.com>
Date: Sat, 28 Nov 2020 21:56:20 +0800
Subject: [PATCH] Fix: security issues & overflow potentiality (#465)

---
 common/crypto/auth.go           | 13 +++++++++++--
 common/mux/writer.go            |  7 ++++++-
 common/net/connection.go        |  7 ++++++-
 common/protocol/http/headers.go |  2 +-
 proxy/vless/encoding/addons.go  |  8 +++++++-
 5 files changed, 31 insertions(+), 6 deletions(-)

diff --git a/common/crypto/auth.go b/common/crypto/auth.go
index 2e64c8110..63cd9d557 100644
--- a/common/crypto/auth.go
+++ b/common/crypto/auth.go
@@ -8,6 +8,7 @@ import (
 	"v2ray.com/core/common"
 	"v2ray.com/core/common/buf"
 	"v2ray.com/core/common/bytespool"
+	"v2ray.com/core/common/errors"
 	"v2ray.com/core/common/protocol"
 )
 
@@ -278,7 +279,11 @@ func (w *AuthenticationWriter) writeStream(mb buf.MultiBuffer) error {
 	}
 
 	payloadSize := buf.Size - int32(w.auth.Overhead()) - w.sizeParser.SizeBytes() - maxPadding
-	mb2Write := make(buf.MultiBuffer, 0, len(mb)+10)
+	if len(mb)+10 > 64*1024*1024 {
+		return errors.New("value too large")
+	}
+	sliceSize := len(mb) + 10
+	mb2Write := make(buf.MultiBuffer, 0, sliceSize)
 
 	temp := buf.New()
 	defer temp.Release()
@@ -307,7 +312,11 @@ func (w *AuthenticationWriter) writeStream(mb buf.MultiBuffer) error {
 func (w *AuthenticationWriter) writePacket(mb buf.MultiBuffer) error {
 	defer buf.ReleaseMulti(mb)
 
-	mb2Write := make(buf.MultiBuffer, 0, len(mb)+1)
+	if len(mb)+1 > 64*1024*1024 {
+		return errors.New("value too large")
+	}
+	sliceSize := len(mb) + 1
+	mb2Write := make(buf.MultiBuffer, 0, sliceSize)
 
 	for _, b := range mb {
 		if b.IsEmpty() {
diff --git a/common/mux/writer.go b/common/mux/writer.go
index 21850ac60..c28852d9b 100644
--- a/common/mux/writer.go
+++ b/common/mux/writer.go
@@ -3,6 +3,7 @@ package mux
 import (
 	"v2ray.com/core/common"
 	"v2ray.com/core/common/buf"
+	"v2ray.com/core/common/errors"
 	"v2ray.com/core/common/net"
 	"v2ray.com/core/common/protocol"
 	"v2ray.com/core/common/serial"
@@ -70,7 +71,11 @@ func writeMetaWithFrame(writer buf.Writer, meta FrameMetadata, data buf.MultiBuf
 		return err
 	}
 
-	mb2 := make(buf.MultiBuffer, 0, len(data)+1)
+	if len(data)+1 > 64*1024*1024 {
+		return errors.New("value too large")
+	}
+	sliceSize := len(data) + 1
+	mb2 := make(buf.MultiBuffer, 0, sliceSize)
 	mb2 = append(mb2, frame)
 	mb2 = append(mb2, data...)
 	return writer.WriteMultiBuffer(mb2)
diff --git a/common/net/connection.go b/common/net/connection.go
index 0540ce99a..f271beef9 100644
--- a/common/net/connection.go
+++ b/common/net/connection.go
@@ -9,6 +9,7 @@ import (
 
 	"v2ray.com/core/common"
 	"v2ray.com/core/common/buf"
+	"v2ray.com/core/common/errors"
 	"v2ray.com/core/common/signal/done"
 )
 
@@ -109,8 +110,12 @@ func (c *connection) Write(b []byte) (int, error) {
 		return 0, io.ErrClosedPipe
 	}
 
+	if len(b)/buf.Size+1 > 64*1024*1024 {
+		return 0, errors.New("value too large")
+	}
 	l := len(b)
-	mb := make(buf.MultiBuffer, 0, l/buf.Size+1)
+	sliceSize := l/buf.Size + 1
+	mb := make(buf.MultiBuffer, 0, sliceSize)
 	mb = buf.MergeBytes(mb, b)
 	return l, c.writer.WriteMultiBuffer(mb)
 }
diff --git a/common/protocol/http/headers.go b/common/protocol/http/headers.go
index 95eb53066..1dfe4d027 100644
--- a/common/protocol/http/headers.go
+++ b/common/protocol/http/headers.go
@@ -57,7 +57,7 @@ func ParseHost(rawHost string, defaultPort net.Port) (net.Destination, error) {
 			return net.Destination{}, err
 		}
 	} else if len(rawPort) > 0 {
-		intPort, err := strconv.Atoi(rawPort)
+		intPort, err := strconv.ParseUint(rawPort, 0, 16)
 		if err != nil {
 			return net.Destination{}, err
 		}
diff --git a/proxy/vless/encoding/addons.go b/proxy/vless/encoding/addons.go
index 266fa51f2..6eb9cbbaa 100644
--- a/proxy/vless/encoding/addons.go
+++ b/proxy/vless/encoding/addons.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/golang/protobuf/proto"
 	"v2ray.com/core/common/buf"
+	"v2ray.com/core/common/errors"
 	"v2ray.com/core/common/protocol"
 )
 
@@ -67,7 +68,12 @@ type MultiLengthPacketWriter struct {
 
 func (w *MultiLengthPacketWriter) WriteMultiBuffer(mb buf.MultiBuffer) error {
 	defer buf.ReleaseMulti(mb)
-	mb2Write := make(buf.MultiBuffer, 0, len(mb)+1)
+
+	if len(mb)+1 > 64*1024*1024 {
+		return errors.New("value too large")
+	}
+	sliceSize := len(mb) + 1
+	mb2Write := make(buf.MultiBuffer, 0, sliceSize)
 	for _, b := range mb {
 		length := b.Len()
 		if length == 0 || length+2 > buf.Size {