Fix: security issues & overflow potentiality (#465)

common/crypto/auth.go

@@ -8,6 +8,7 @@ import (
 	"v2ray.com/core/common"
 	"v2ray.com/core/common/buf"
 	"v2ray.com/core/common/bytespool"
+	"v2ray.com/core/common/errors"
 	"v2ray.com/core/common/protocol"
 )
 
@@ -278,7 +279,11 @@ func (w *AuthenticationWriter) writeStream(mb buf.MultiBuffer) error {
 	}
 
 	payloadSize := buf.Size - int32(w.auth.Overhead()) - w.sizeParser.SizeBytes() - maxPadding
-	mb2Write := make(buf.MultiBuffer, 0, len(mb)+10)
+	if len(mb)+10 > 64*1024*1024 {
+		return errors.New("value too large")
+	}
+	sliceSize := len(mb) + 10
+	mb2Write := make(buf.MultiBuffer, 0, sliceSize)
 
 	temp := buf.New()
 	defer temp.Release()
@@ -307,7 +312,11 @@ func (w *AuthenticationWriter) writeStream(mb buf.MultiBuffer) error {
 func (w *AuthenticationWriter) writePacket(mb buf.MultiBuffer) error {
 	defer buf.ReleaseMulti(mb)
 
-	mb2Write := make(buf.MultiBuffer, 0, len(mb)+1)
+	if len(mb)+1 > 64*1024*1024 {
+		return errors.New("value too large")
+	}
+	sliceSize := len(mb) + 1
+	mb2Write := make(buf.MultiBuffer, 0, sliceSize)
 
 	for _, b := range mb {
 		if b.IsEmpty() {

common/mux/writer.go

@@ -3,6 +3,7 @@ package mux
 import (
 	"v2ray.com/core/common"
 	"v2ray.com/core/common/buf"
+	"v2ray.com/core/common/errors"
 	"v2ray.com/core/common/net"
 	"v2ray.com/core/common/protocol"
 	"v2ray.com/core/common/serial"
@@ -70,7 +71,11 @@ func writeMetaWithFrame(writer buf.Writer, meta FrameMetadata, data buf.MultiBuf
 		return err
 	}
 
-	mb2 := make(buf.MultiBuffer, 0, len(data)+1)
+	if len(data)+1 > 64*1024*1024 {
+		return errors.New("value too large")
+	}
+	sliceSize := len(data) + 1
+	mb2 := make(buf.MultiBuffer, 0, sliceSize)
 	mb2 = append(mb2, frame)
 	mb2 = append(mb2, data...)
 	return writer.WriteMultiBuffer(mb2)

common/net/connection.go

@@ -9,6 +9,7 @@ import (
 
 	"v2ray.com/core/common"
 	"v2ray.com/core/common/buf"
+	"v2ray.com/core/common/errors"
 	"v2ray.com/core/common/signal/done"
 )
 
@@ -109,8 +110,12 @@ func (c *connection) Write(b []byte) (int, error) {
 		return 0, io.ErrClosedPipe
 	}
 
+	if len(b)/buf.Size+1 > 64*1024*1024 {
+		return 0, errors.New("value too large")
+	}
 	l := len(b)
-	mb := make(buf.MultiBuffer, 0, l/buf.Size+1)
+	sliceSize := l/buf.Size + 1
+	mb := make(buf.MultiBuffer, 0, sliceSize)
 	mb = buf.MergeBytes(mb, b)
 	return l, c.writer.WriteMultiBuffer(mb)
 }

common/protocol/http/headers.go

@@ -57,7 +57,7 @@ func ParseHost(rawHost string, defaultPort net.Port) (net.Destination, error) {
 			return net.Destination{}, err
 		}
 	} else if len(rawPort) > 0 {
-		intPort, err := strconv.Atoi(rawPort)
+		intPort, err := strconv.ParseUint(rawPort, 0, 16)
 		if err != nil {
 			return net.Destination{}, err
 		}

proxy/vless/encoding/addons.go

@@ -7,6 +7,7 @@ import (
 
 	"github.com/golang/protobuf/proto"
 	"v2ray.com/core/common/buf"
+	"v2ray.com/core/common/errors"
 	"v2ray.com/core/common/protocol"
 )
 
@@ -67,7 +68,12 @@ type MultiLengthPacketWriter struct {
 
 func (w *MultiLengthPacketWriter) WriteMultiBuffer(mb buf.MultiBuffer) error {
 	defer buf.ReleaseMulti(mb)
-	mb2Write := make(buf.MultiBuffer, 0, len(mb)+1)
+
+	if len(mb)+1 > 64*1024*1024 {
+		return errors.New("value too large")
+	}
+	sliceSize := len(mb) + 1
+	mb2Write := make(buf.MultiBuffer, 0, sliceSize)
 	for _, b := range mb {
 		length := b.Len()
 		if length == 0 || length+2 > buf.Size {