Skip to content

net/http, x/net/proxy: Panic triggerable by SOCKS5 server #21333

New issue
New issue
Closed
Closed
net/http, x/net/proxy: Panic triggerable by SOCKS5 server#21333
Labels
FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.
Milestone
 
Go1.11
@special

Description

@special
special
opened on Aug 7, 2017

x/net/proxy's SOCKS5 implementation has a logic error that allows the SOCKS server to trigger a client-side panic:

From https://github.com/golang/net/blob/master/proxy/socks5.go and reduced for clarity:

	bytesToDiscard := 0
	switch buf[3] {
	case socks5Domain:
		_, err := io.ReadFull(conn, buf[:1])
		bytesToDiscard = int(buf[0])
	}

	if cap(buf) < bytesToDiscard {
		buf = make([]byte, bytesToDiscard)
	} else {
		buf = buf[:bytesToDiscard]
	}
	if _, err := io.ReadFull(conn, buf); err != nil {
		return errors.New("proxy: failed to read address from SOCKS5 proxy at " + s.addr + ": " + err.Error())
	}

	// Also need to discard the port number
	if _, err := io.ReadFull(conn, buf[:2]); err != nil {

The length of buf is determined by the server here and may be less than 2.

Metadata

Metadata

Assignees

No one assigned

    Labels

    FrozenDueToAgeNeedsFixThe path to resolution is known, but the work has not been done.

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions