Conversation
|
跟下面out of bound合一起吧 |
done. |
|
我先前的要求不太对 我重新检查了一下dns over tcp的实现 它将长度读取为int16 但是实际数据类型是uint16 因为正数时二者的二进制布局刚好一致导致了问题 修正后应该没有问题了 可以按原设计抛出错误 |
potential same panic in another code as well. Xray-core/app/dns/nameserver_quic.go Line 157 in b69a376 Xray-core/transport/internet/kcp/io.go Line 84 in b69a376 Line 180 in b69a376 ReadFullFrom as a common util function, it's better to add negative size check. |
|
quic改了 nonceSize是负就应该panic xudp是有预检的 就这样吧 有问题再说 |
Fangliding
changed the title
Co-authored-by: 风扇滑翔翼 <Fangliding.fshxy@outlook.com>
3 participants
While buffer.go uses int32 type size not uint32 type, malformed dns response causes ReadFullFrom with negative size which leading to slice bounds out of range panic.
Here is the panic log (my dns server has additional fields):
2025/10/15 17:05:11.712529[Error] app/dns: failed to read response length > io: read/write on closed pipe panic: runtime error: slice bounds out of range [:-21477] goroutine 9214 [running]: github.com/xtls/xray-core/common/buf. (*Buffer).ReadFullFrom(Ox5af0a27200?, [Ox6f45a34200?,0x4000baad20?],0xf14d26c0?) github.com/xtls/xray-core/common/buf/ buffer.go:340 +0x23c github.com/xtls/xray-core/app) dns.(*TCPNameServ er).sendQuery. func1(0x4000baac30) github. com/xtls/xray-core/ app/dns/ nameserver_tcp.go:184 +0x9c4 created by github.com/xtls/xray- core/app/dns. (*TCPNameServer) sendQuery in gor outine 9213 github.com/xtls/xray- core/app/dns/ nameserver. tcp.go:115 +0x274