From 6fb5c887b23c1cef10ab969e2790a28e1f5371bd Mon Sep 17 00:00:00 2001 From: Shelikhoo Date: Sun, 5 Dec 2021 19:15:38 +0000 Subject: [PATCH] Fix DoS attack vulnerability in CommandSwitchAccountFactory --- proxy/vmess/encoding/commands.go | 2 +- proxy/vmess/encoding/commands_test.go | 21 +++++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/proxy/vmess/encoding/commands.go b/proxy/vmess/encoding/commands.go index de2e0253..538ffaa3 100644 --- a/proxy/vmess/encoding/commands.go +++ b/proxy/vmess/encoding/commands.go @@ -139,7 +139,7 @@ func (f *CommandSwitchAccountFactory) Unmarshal(data []byte) (interface{}, error } cmd.Level = uint32(data[levelStart]) timeStart := levelStart + 1 - if len(data) < timeStart { + if len(data) < timeStart+1 { return nil, newError("insufficient length.") } cmd.ValidMin = data[timeStart] diff --git a/proxy/vmess/encoding/commands_test.go b/proxy/vmess/encoding/commands_test.go index 12acfba4..5b337b46 100644 --- a/proxy/vmess/encoding/commands_test.go +++ b/proxy/vmess/encoding/commands_test.go @@ -4,6 +4,7 @@ import ( "testing" "github.com/google/go-cmp/cmp" + "github.com/stretchr/testify/assert" "github.com/xtls/xray-core/common" "github.com/xtls/xray-core/common/buf" @@ -35,3 +36,23 @@ func TestSwitchAccount(t *testing.T) { t.Error(r) } } + +func TestSwitchAccountBugOffByOne(t *testing.T) { + sa := &protocol.CommandSwitchAccount{ + Port: 1234, + ID: uuid.New(), + AlterIds: 1024, + Level: 128, + ValidMin: 16, + } + + buffer := buf.New() + csaf := CommandSwitchAccountFactory{} + common.Must(csaf.Marshal(sa, buffer)) + + Payload := buffer.Bytes() + + cmd, err := csaf.Unmarshal(Payload[:len(Payload)-1]) + assert.Error(t, err) + assert.Nil(t, cmd) +}