Skip to content

QUIC sniffer: Fix potential slice panic #3406

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 17, 2025
Merged

QUIC sniffer: Fix potential slice panic #3406

merged 5 commits into from
May 17, 2025

Conversation

@Fangliding
Copy link
Contributor

@Fangliding Fangliding commented May 9, 2025

From XTLS/Xray-core#3914

概述:
一些奇怪的数据包 读出的 packet number length 有可能会大于 length 本身 导致切片读取错误(b[17:15]这样) 样例数据在原issue有 可自行验证 想了一下比较简单的粗暴的方法大概就是检验后直接返回错误

先发到这里的原因是Xray的是从fly这copy的(其实这个错误从最开始的旧QUIC嗅探嗅探器就存在的样子)

CC: @Vigilans

Vigilans
Vigilans approved these changes May 9, 2025
View reviewed changes
Copy link
Contributor

@Vigilans Vigilans left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

前面的协议校验都过了,这两个都来自header的字段出了问题,确实很神奇

@Fangliding
Copy link
Contributor Author

Fangliding commented May 9, 2025
edited
Loading

前面的协议校验都过了,这两个都来自header的字段出了问题,确实很神奇

我又发现了一个潜在的崩溃位置 如果假header后面的数据太短了会导致 b[hdrLen+4:hdrLen+4+16] 再次超限(见我加的新test)

Vigilans
Vigilans reviewed May 10, 2025
View reviewed changes
common/protocol/quic/sniff.go
hdrLen := len(b) - int(buffer.Len())
if len(b) < hdrLen+int(packetLen) {
if len(b) < hdrLen+int(packetLen) || len(b) < hdrLen+20{
return nil, common.ErrNoClue // Not enough data to read as a QUIC packet. QUIC is UDP-based, so this is unlikely to happen.
Copy link
Contributor

@Vigilans Vigilans May 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

翻了一下协议好像没找到下面20(4+16)长度的准确解释,貌似是关于Packet Number Decoding的?

这一行可以付上 // See https://github.com/v2fly/v2ray-core/pull/3406#issuecomment-2866415064,方便查阅这个Magic Number的解释。

Copy link
Contributor Author

@Fangliding Fangliding May 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

翻了一下协议好像没找到下面20(4+16)长度的准确解释,貌似是关于Packet Number Decoding的?

这一行可以付上 // See https://github.com/v2fly/v2ray-core/pull/3406#issuecomment-2866415064,方便查阅这个Magic Number的解释。

如果地方多的话 感觉可能不如以前的xray偷懒做法 直接recover切片类panic当read错误返回notquic就行了

Copy link
Contributor

@dyhkwong dyhkwong May 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这两个用例都是少了 115 行 packetLen < 4(即 origPNBytes 的长度)的判断,关于 packetNumberLength 应该另外处理(如 #3389

@xiaokangwang
Copy link
Contributor

xiaokangwang commented May 17, 2025

This pull request is ready to be merged. Thanks!

@xiaokangwang xiaokangwang merged commit 1f2d76c into v2fly:master May 17, 2025
40 of 41 checks passed
AutisticShark pushed a commit to The-NeXT-Project/NeXT-Server that referenced this pull request Jul 22, 2025
fix: temporarily disable quic sniff
2ccdae3 
Disable QUIC sniff until next-server is switched to v2ray-core.

Fixed in v2fly/v2ray-core#3406.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@Vigilans Vigilans Vigilans approved these changes

@dyhkwong dyhkwong dyhkwong left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Fangliding @xiaokangwang @Vigilans @dyhkwong