check payload length before decrypting it. fixes #1227

transport/internet/kcp/io.go

@@ -30,6 +30,10 @@ func (r *KCPPacketReader) Read(b []byte) []Segment {
 	}
 	if r.Security != nil {
 		nonceSize := r.Security.NonceSize()
+		overhead := r.Security.Overhead()
+		if len(b) <= nonceSize+overhead {
+			return nil
+		}
 		out, err := r.Security.Open(b[nonceSize:nonceSize], b[:nonceSize], b[nonceSize:], nil)
 		if err != nil {
 			return nil

transport/internet/kcp/io_test.go

@@ -1 +1,37 @@
 package kcp_test
+
+import (
+	"testing"
+
+	. "v2ray.com/core/transport/internet/kcp"
+)
+
+func TestKCPPacketReader(t *testing.T) {
+	reader := KCPPacketReader{
+		Security: &SimpleAuthenticator{},
+	}
+
+	testCases := []struct {
+		Input  []byte
+		Output []Segment
+	}{
+		{
+			Input:  []byte{},
+			Output: nil,
+		},
+		{
+			Input:  []byte{1},
+			Output: nil,
+		},
+	}
+
+	for _, testCase := range testCases {
+		seg := reader.Read(testCase.Input)
+		if testCase.Output == nil && seg != nil {
+			t.Errorf("Expect nothing returned, but actually %v", seg)
+		} else if testCase.Output != nil && seg == nil {
+			t.Errorf("Expect some output, but got nil")
+		}
+	}
+
+}