Closed
Description
x/net/proxy's SOCKS5 implementation has a logic error that allows the SOCKS server to trigger a client-side panic:
From https://github.com/golang/net/blob/master/proxy/socks5.go and reduced for clarity:
bytesToDiscard := 0
switch buf[3] {
case socks5Domain:
_, err := io.ReadFull(conn, buf[:1])
bytesToDiscard = int(buf[0])
}
if cap(buf) < bytesToDiscard {
buf = make([]byte, bytesToDiscard)
} else {
buf = buf[:bytesToDiscard]
}
if _, err := io.ReadFull(conn, buf); err != nil {
return errors.New("proxy: failed to read address from SOCKS5 proxy at " + s.addr + ": " + err.Error())
}
// Also need to discard the port number
if _, err := io.ReadFull(conn, buf[:2]); err != nil {
The length of buf
is determined by the server here and may be less than 2.