fix: avoid panic on malformed short tunnel packets (#1904)

2026-05-13 17:35:37 +00:00 · 2026-02-18 00:04:30 +08:00
parent aa24d09aa2
commit f737708f45
2 changed files with 85 additions and 44 deletions
@@ -437,6 +437,14 @@ pub struct ZCPacket {
 }

 impl ZCPacket {
+    fn bytes_from_offset(&self, offset: usize) -> Option<&[u8]> {
+        self.inner.get(offset..)
+    }
+
+    fn mut_bytes_from_offset(&mut self, offset: usize) -> Option<&mut [u8]> {
+        self.inner.get_mut(offset..)
+    }
+
    pub fn new_nic_packet() -> Self {
        Self {
            inner: BytesMut::new(),
@@ -517,39 +525,39 @@ impl ZCPacket {
    }

    pub fn mut_peer_manager_header(&mut self) -> Option<&mut PeerManagerHeader> {
-        PeerManagerHeader::mut_from_prefix(
-            &mut self.inner[self
-                .packet_type
-                .get_packet_offsets()
-                .peer_manager_header_offset..],
-        )
+        let offset = self
+            .packet_type
+            .get_packet_offsets()
+            .peer_manager_header_offset;
+        let bytes = self.mut_bytes_from_offset(offset)?;
+        PeerManagerHeader::mut_from_prefix(bytes)
    }

    pub fn mut_tcp_tunnel_header(&mut self) -> Option<&mut TCPTunnelHeader> {
-        TCPTunnelHeader::mut_from_prefix(
-            &mut self.inner[self
-                .packet_type
-                .get_packet_offsets()
-                .tcp_tunnel_header_offset..],
-        )
+        let offset = self
+            .packet_type
+            .get_packet_offsets()
+            .tcp_tunnel_header_offset;
+        let bytes = self.mut_bytes_from_offset(offset)?;
+        TCPTunnelHeader::mut_from_prefix(bytes)
    }

    pub fn mut_udp_tunnel_header(&mut self) -> Option<&mut UDPTunnelHeader> {
-        UDPTunnelHeader::mut_from_prefix(
-            &mut self.inner[self
-                .packet_type
-                .get_packet_offsets()
-                .udp_tunnel_header_offset..],
-        )
+        let offset = self
+            .packet_type
+            .get_packet_offsets()
+            .udp_tunnel_header_offset;
+        let bytes = self.mut_bytes_from_offset(offset)?;
+        UDPTunnelHeader::mut_from_prefix(bytes)
    }

    pub fn mut_wg_tunnel_header(&mut self) -> Option<&mut WGTunnelHeader> {
-        WGTunnelHeader::mut_from_prefix(
-            &mut self.inner[self
-                .packet_type
-                .get_packet_offsets()
-                .wg_tunnel_header_offset..],
-        )
+        let offset = self
+            .packet_type
+            .get_packet_offsets()
+            .wg_tunnel_header_offset;
+        let bytes = self.mut_bytes_from_offset(offset)?;
+        WGTunnelHeader::mut_from_prefix(bytes)
    }

    // ref versions
@@ -562,30 +570,30 @@ impl ZCPacket {
    }

    pub fn peer_manager_header(&self) -> Option<&PeerManagerHeader> {
-        PeerManagerHeader::ref_from_prefix(
-            &self.inner[self
-                .packet_type
-                .get_packet_offsets()
-                .peer_manager_header_offset..],
-        )
+        let offset = self
+            .packet_type
+            .get_packet_offsets()
+            .peer_manager_header_offset;
+        let bytes = self.bytes_from_offset(offset)?;
+        PeerManagerHeader::ref_from_prefix(bytes)
    }

    pub fn tcp_tunnel_header(&self) -> Option<&TCPTunnelHeader> {
-        TCPTunnelHeader::ref_from_prefix(
-            &self.inner[self
-                .packet_type
-                .get_packet_offsets()
-                .tcp_tunnel_header_offset..],
-        )
+        let offset = self
+            .packet_type
+            .get_packet_offsets()
+            .tcp_tunnel_header_offset;
+        let bytes = self.bytes_from_offset(offset)?;
+        TCPTunnelHeader::ref_from_prefix(bytes)
    }

    pub fn udp_tunnel_header(&self) -> Option<&UDPTunnelHeader> {
-        UDPTunnelHeader::ref_from_prefix(
-            &self.inner[self
-                .packet_type
-                .get_packet_offsets()
-                .udp_tunnel_header_offset..],
-        )
+        let offset = self
+            .packet_type
+            .get_packet_offsets()
+            .udp_tunnel_header_offset;
+        let bytes = self.bytes_from_offset(offset)?;
+        UDPTunnelHeader::ref_from_prefix(bytes)
    }

    pub fn udp_payload(&self) -> &[u8] {
@@ -751,4 +759,24 @@ mod tests {
        assert_eq!(&tcp_packet[..1], b"\x0b");
        println!("{:?}", tcp_packet);
    }
+
+    #[test]
+    fn test_short_tcp_packet_header_access_is_safe() {
+        let mut packet = ZCPacket::new_from_buf(BytesMut::from(&b"\x01"[..]), ZCPacketType::TCP);
+
+        assert!(packet.peer_manager_header().is_none());
+        assert!(packet.tcp_tunnel_header().is_none());
+        assert!(packet.udp_tunnel_header().is_none());
+        assert!(packet.mut_peer_manager_header().is_none());
+        assert!(packet.mut_tcp_tunnel_header().is_none());
+        assert!(packet.mut_udp_tunnel_header().is_none());
+        assert!(packet.mut_wg_tunnel_header().is_none());
+    }
+
+    #[test]
+    fn test_invalid_converted_header_offset_is_safe() {
+        let mut packet = ZCPacket::new_from_buf(BytesMut::from(&b"\x01"[..]), ZCPacketType::UDP);
+
+        assert!(packet.mut_wg_tunnel_header().is_none());
+    }
 }