From 4ba6f248bc23bc4bd3dfddf38984a5413d2fae92 Mon Sep 17 00:00:00 2001 From: goomadao <39483078+goomadao@users.noreply.github.com> Date: Tue, 11 Aug 2020 10:17:40 +0800 Subject: [PATCH] Fix: ssr bounds out of range panic (#882) --- component/ssr/protocol/auth_aes128_md5.go | 14 ++++++++++++-- component/ssr/protocol/protocol.go | 4 +++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/component/ssr/protocol/auth_aes128_md5.go b/component/ssr/protocol/auth_aes128_md5.go index cbe56921..0740f0b3 100644 --- a/component/ssr/protocol/auth_aes128_md5.go +++ b/component/ssr/protocol/auth_aes128_md5.go @@ -81,8 +81,9 @@ func (a *authAES128) Decode(b []byte) ([]byte, int, error) { h := a.hmac(key, b[:2]) if !bytes.Equal(h[:2], b[2:4]) { - return nil, 0, errAuthAES128HMACError + return nil, 0, errAuthAES128IncorrectMAC } + length := int(binary.LittleEndian.Uint16(b[:2])) if length >= 8192 || length < 8 { return nil, 0, errAuthAES128DataLengthError @@ -90,6 +91,12 @@ func (a *authAES128) Decode(b []byte) ([]byte, int, error) { if length > bSize { break } + + h = a.hmac(key, b[:bSize-4]) + if !bytes.Equal(h[:4], b[bSize-4:]) { + return nil, 0, errAuthAES128IncorrectChecksum + } + a.recvID++ pos := int(b[4]) if pos < 255 { @@ -98,6 +105,9 @@ func (a *authAES128) Decode(b []byte) ([]byte, int, error) { pos = int(binary.LittleEndian.Uint16(b[5:7])) + 4 } + if pos > length-4 { + return nil, 0, errAuthAES128PositionTooLarge + } a.buffer.Write(b[pos : length-4]) b = b[length:] bSize -= length @@ -144,7 +154,7 @@ func (a *authAES128) DecodePacket(b []byte) ([]byte, int, error) { bSize := len(b) h := a.hmac(a.Key, b[:bSize-4]) if !bytes.Equal(h[:4], b[bSize-4:]) { - return nil, 0, errAuthAES128HMACError + return nil, 0, errAuthAES128IncorrectMAC } return b[:bSize-4], bSize - 4, nil } diff --git a/component/ssr/protocol/protocol.go b/component/ssr/protocol/protocol.go index b2aa8e93..943303da 100644 --- a/component/ssr/protocol/protocol.go +++ b/component/ssr/protocol/protocol.go @@ -9,8 +9,10 @@ import ( ) var ( - errAuthAES128HMACError = errors.New("auth_aes128_* post decrypt hmac error") + errAuthAES128IncorrectMAC = errors.New("auth_aes128_* post decrypt incorrect mac") errAuthAES128DataLengthError = errors.New("auth_aes128_* post decrypt length mismatch") + errAuthAES128IncorrectChecksum = errors.New("auth_aes128_* post decrypt incorrect checksum") + errAuthAES128PositionTooLarge = errors.New("auth_aes128_* post decrypt posision is too large") errAuthSHA1v4CRC32Error = errors.New("auth_sha1_v4 post decrypt data crc32 error") errAuthSHA1v4DataLengthError = errors.New("auth_sha1_v4 post decrypt data length error") errAuthSHA1v4IncorrectChecksum = errors.New("auth_sha1_v4 post decrypt incorrect checksum")