Fix: drop UDP packet which mismatched destination for VMess (#2410)

Co-authored-by: SUN Sizhe <sunsizhe@cmi.chinamobile.com>
This commit is contained in:
gVisor bot 2022-11-26 11:27:24 +08:00
parent e7b20edcba
commit ee13bbd9cf

View file

@ -20,6 +20,8 @@ import (
"golang.org/x/net/http2" "golang.org/x/net/http2"
) )
var ErrUDPRemoteAddrMismatch = errors.New("udp packet dropped due to mismatched remote address")
type Vmess struct { type Vmess struct {
*Base *Base
client *vmess.Client client *vmess.Client
@ -358,7 +360,14 @@ type vmessPacketConn struct {
rAddr net.Addr rAddr net.Addr
} }
// WriteTo implments C.PacketConn.WriteTo
// Since VMess doesn't support full cone NAT by design, we verify if addr matches uc.rAddr, and drop the packet if not.
func (uc *vmessPacketConn) WriteTo(b []byte, addr net.Addr) (int, error) { func (uc *vmessPacketConn) WriteTo(b []byte, addr net.Addr) (int, error) {
allowedAddr := uc.rAddr.(*net.UDPAddr)
destAddr := addr.(*net.UDPAddr)
if !(allowedAddr.IP.Equal(destAddr.IP) && allowedAddr.Port == destAddr.Port) {
return 0, ErrUDPRemoteAddrMismatch
}
return uc.Conn.Write(b) return uc.Conn.Write(b)
} }