Fix DoS attack vulnerability in CommandSwitchAccountFactory

2025-04-29 08:54:10 +00:00 · 2021-12-05 19:15:38 +00:00 · 2021-12-05 19:15:38 +00:00 · 6fb5c887b2
commit 6fb5c887b2
parent 4fc284a8e9
2 changed files with 22 additions and 1 deletions
--- a/proxy/vmess/encoding/commands_test.go
+++ b/proxy/vmess/encoding/commands_test.go
@ -4,6 +4,7 @@ import (
 	"testing"

 	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/assert"

 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
@ -35,3 +36,23 @@ func TestSwitchAccount(t *testing.T) {
 		t.Error(r)
 	}
 }
+
+func TestSwitchAccountBugOffByOne(t *testing.T) {
+	sa := &protocol.CommandSwitchAccount{
+		Port:     1234,
+		ID:       uuid.New(),
+		AlterIds: 1024,
+		Level:    128,
+		ValidMin: 16,
+	}
+
+	buffer := buf.New()
+	csaf := CommandSwitchAccountFactory{}
+	common.Must(csaf.Marshal(sa, buffer))
+
+	Payload := buffer.Bytes()
+
+	cmd, err := csaf.Unmarshal(Payload[:len(Payload)-1])
+	assert.Error(t, err)
+	assert.Nil(t, cmd)
+}