fix: Read() data truncation issue

remove the multireader abstraction and modify conn.Read() so that we
start by draining buffered data (from the header parsing), then reading
directly from the underlying connection in a single Read() call

fixes data loss in TLS passthrough scenarios (e.g. ingress-nginx)
when PROXY header + TLS ClientHello exceeds the 256-byte buffer.

Author: clementnuss

protocol.go

@@ -52,7 +52,6 @@ type Conn struct {
 	readErr           error
 	conn              net.Conn
 	bufReader         *bufio.Reader
-	reader            io.Reader
 	header            *Header
 	ProxyHeaderPolicy Policy
 	Validate          Validator
@@ -161,7 +160,6 @@ func NewConn(conn net.Conn, opts ...func(*Conn)) *Conn {
 
 	pConn := &Conn{
 		bufReader: br,
-		reader:    io.MultiReader(br, conn),
 		conn:      conn,
 	}
 
@@ -183,7 +181,18 @@ func (p *Conn) Read(b []byte) (int, error) {
 		return 0, p.readErr
 	}
 
-	return p.reader.Read(b)
+	// First drain any buffered data from header parsing,
+	// then read directly from the underlying connection.
+	n := 0
+	if p.bufReader.Buffered() > 0 {
+		n, _ = p.bufReader.Read(b)
+	}
+
+	if n < len(b) {
+		nn, err := p.conn.Read(b[n:])
+		return n + nn, err
+	}
+	return n, nil
 }
 
 // Write wraps original conn.Write.