1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
From: Shelikhoo <xiaokangwang@outlook.com>
Date: Sun, 5 Dec 2021 19:15:38 +0000
Subject: Fix DoS attack vulnerability in CommandSwitchAccountFactory
(cherry picked from commit c1af2bfd7aa59a4482aa7f6ec4b9208c1d350b5c)
Closes: #1010377
---
proxy/vmess/encoding/commands.go | 2 +-
proxy/vmess/encoding/commands_test.go | 21 +++++++++++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/proxy/vmess/encoding/commands.go b/proxy/vmess/encoding/commands.go
index 4b0bc44..0d0d6c9 100644
--- a/proxy/vmess/encoding/commands.go
+++ b/proxy/vmess/encoding/commands.go
@@ -140,7 +140,7 @@ func (f *CommandSwitchAccountFactory) Unmarshal(data []byte) (interface{}, error
}
cmd.Level = uint32(data[levelStart])
timeStart := levelStart + 1
- if len(data) < timeStart {
+ if len(data) < timeStart+1 {
return nil, newError("insufficient length.")
}
cmd.ValidMin = data[timeStart]
diff --git a/proxy/vmess/encoding/commands_test.go b/proxy/vmess/encoding/commands_test.go
index a283352..db122c8 100644
--- a/proxy/vmess/encoding/commands_test.go
+++ b/proxy/vmess/encoding/commands_test.go
@@ -1,6 +1,7 @@
package encoding_test
import (
+ "github.com/stretchr/testify/assert"
"testing"
"github.com/google/go-cmp/cmp"
@@ -35,3 +36,23 @@ func TestSwitchAccount(t *testing.T) {
t.Error(r)
}
}
+
+func TestSwitchAccountBugOffByOne(t *testing.T) {
+ sa := &protocol.CommandSwitchAccount{
+ Port: 1234,
+ ID: uuid.New(),
+ AlterIds: 1024,
+ Level: 128,
+ ValidMin: 16,
+ }
+
+ buffer := buf.New()
+ csaf := CommandSwitchAccountFactory{}
+ common.Must(csaf.Marshal(sa, buffer))
+
+ Payload := buffer.Bytes()
+
+ cmd, err := csaf.Unmarshal(Payload[:len(Payload)-1])
+ assert.Error(t, err)
+ assert.Nil(t, cmd)
+}
|
