Skip to content

Commit e18a599

Browse files
nekohasekainekohasekai
committed
hysteria2: Fix ReadTCPResponse crash
1 parent a7af781 commit e18a599

File tree

1 file changed

+24
-9
lines changed

1 file changed

+24
-9
lines changed

hysteria2/internal/protocol/proxy.go

+24-9
Original file line numberDiff line numberDiff line change
@@ -92,36 +92,48 @@ func WriteTCPRequest(addr string, payload []byte) *buf.Buffer {
9292
// Padding length (QUIC varint)
9393
// Padding (bytes)
9494

95-
func ReadTCPResponse(r io.Reader) (bool, string, error) {
95+
func ReadTCPResponse(r io.Reader) (ok bool, message string, err error) {
9696
var status [1]byte
97-
if _, err := io.ReadFull(r, status[:]); err != nil {
98-
return false, "", err
97+
_, err = io.ReadFull(r, status[:])
98+
if err != nil {
99+
return
99100
}
101+
ok = status[0] == 0
100102
bReader := quicvarint.NewReader(r)
101-
msg, err := ReadVString(bReader)
103+
messageLen, err := quicvarint.Read(bReader)
104+
if err != nil {
105+
return
106+
}
107+
if messageLen > MaxMessageLength {
108+
return false, "", E.New("invalid message length")
109+
}
110+
message, err = rw.ReadString(r, int(messageLen))
102111
if err != nil {
103-
return false, "", err
112+
return
104113
}
105114
paddingLen, err := quicvarint.Read(bReader)
106115
if err != nil {
107-
return false, "", err
116+
return
108117
}
109118
if paddingLen > MaxPaddingLength {
110119
return false, "", E.New("invalid padding length")
111120
}
112121
if paddingLen > 0 {
113122
_, err = io.CopyN(io.Discard, r, int64(paddingLen))
114123
if err != nil {
115-
return false, "", err
124+
return
116125
}
117126
}
118-
return status[0] == 0, msg, nil
127+
return
119128
}
120129

121130
func WriteTCPResponse(ok bool, msg string, payload []byte) *buf.Buffer {
122131
padding := tcpResponsePadding.String()
123132
paddingLen := len(padding)
124133
msgLen := len(msg)
134+
if msgLen > MaxMessageLength {
135+
msgLen = MaxMessageLength
136+
}
125137
sz := 1 + int(quicvarint.Len(uint64(msgLen))) + msgLen +
126138
int(quicvarint.Len(uint64(paddingLen))) + paddingLen
127139
buffer := buf.NewSize(sz + len(payload))
@@ -198,7 +210,7 @@ func ParseUDPMessage(msg []byte) (*UDPMessage, error) {
198210
if err != nil {
199211
return nil, err
200212
}
201-
if lAddr == 0 || lAddr > MaxMessageLength {
213+
if lAddr == 0 || lAddr > MaxAddressLength {
202214
return nil, E.New("invalid address length")
203215
}
204216
bs := buf.Bytes()
@@ -212,6 +224,9 @@ func ReadVString(reader io.Reader) (string, error) {
212224
if err != nil {
213225
return "", err
214226
}
227+
if length > MaxAddressLength {
228+
return "", E.New("invalid address length")
229+
}
215230
value, err := rw.ReadBytes(reader, int(length))
216231
if err != nil {
217232
return "", err

0 commit comments

Comments
 (0)