Fix: ssr bounds out of range panic (#882)

This commit is contained in:
gVisor bot 2020-08-11 10:17:40 +08:00
parent a77eab44e0
commit 13e5b1263b
2 changed files with 15 additions and 3 deletions

View file

@ -81,8 +81,9 @@ func (a *authAES128) Decode(b []byte) ([]byte, int, error) {
h := a.hmac(key, b[:2]) h := a.hmac(key, b[:2])
if !bytes.Equal(h[:2], b[2:4]) { if !bytes.Equal(h[:2], b[2:4]) {
return nil, 0, errAuthAES128HMACError return nil, 0, errAuthAES128IncorrectMAC
} }
length := int(binary.LittleEndian.Uint16(b[:2])) length := int(binary.LittleEndian.Uint16(b[:2]))
if length >= 8192 || length < 8 { if length >= 8192 || length < 8 {
return nil, 0, errAuthAES128DataLengthError return nil, 0, errAuthAES128DataLengthError
@ -90,6 +91,12 @@ func (a *authAES128) Decode(b []byte) ([]byte, int, error) {
if length > bSize { if length > bSize {
break break
} }
h = a.hmac(key, b[:bSize-4])
if !bytes.Equal(h[:4], b[bSize-4:]) {
return nil, 0, errAuthAES128IncorrectChecksum
}
a.recvID++ a.recvID++
pos := int(b[4]) pos := int(b[4])
if pos < 255 { if pos < 255 {
@ -98,6 +105,9 @@ func (a *authAES128) Decode(b []byte) ([]byte, int, error) {
pos = int(binary.LittleEndian.Uint16(b[5:7])) + 4 pos = int(binary.LittleEndian.Uint16(b[5:7])) + 4
} }
if pos > length-4 {
return nil, 0, errAuthAES128PositionTooLarge
}
a.buffer.Write(b[pos : length-4]) a.buffer.Write(b[pos : length-4])
b = b[length:] b = b[length:]
bSize -= length bSize -= length
@ -144,7 +154,7 @@ func (a *authAES128) DecodePacket(b []byte) ([]byte, int, error) {
bSize := len(b) bSize := len(b)
h := a.hmac(a.Key, b[:bSize-4]) h := a.hmac(a.Key, b[:bSize-4])
if !bytes.Equal(h[:4], b[bSize-4:]) { if !bytes.Equal(h[:4], b[bSize-4:]) {
return nil, 0, errAuthAES128HMACError return nil, 0, errAuthAES128IncorrectMAC
} }
return b[:bSize-4], bSize - 4, nil return b[:bSize-4], bSize - 4, nil
} }

View file

@ -9,8 +9,10 @@ import (
) )
var ( var (
errAuthAES128HMACError = errors.New("auth_aes128_* post decrypt hmac error") errAuthAES128IncorrectMAC = errors.New("auth_aes128_* post decrypt incorrect mac")
errAuthAES128DataLengthError = errors.New("auth_aes128_* post decrypt length mismatch") errAuthAES128DataLengthError = errors.New("auth_aes128_* post decrypt length mismatch")
errAuthAES128IncorrectChecksum = errors.New("auth_aes128_* post decrypt incorrect checksum")
errAuthAES128PositionTooLarge = errors.New("auth_aes128_* post decrypt posision is too large")
errAuthSHA1v4CRC32Error = errors.New("auth_sha1_v4 post decrypt data crc32 error") errAuthSHA1v4CRC32Error = errors.New("auth_sha1_v4 post decrypt data crc32 error")
errAuthSHA1v4DataLengthError = errors.New("auth_sha1_v4 post decrypt data length error") errAuthSHA1v4DataLengthError = errors.New("auth_sha1_v4 post decrypt data length error")
errAuthSHA1v4IncorrectChecksum = errors.New("auth_sha1_v4 post decrypt incorrect checksum") errAuthSHA1v4IncorrectChecksum = errors.New("auth_sha1_v4 post decrypt incorrect checksum")