Difuse/Mellaris
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: eliminate stale verdict poisoning, memory leaks, data races, and per-packet allocations in engine

Browse Source
This commit is contained in:
hayzam
2026-05-15 02:08:22 +00:00
parent bc25169f41
commit 301c252c43
15 changed files with 222 additions and 163 deletions
Download Patch File Download Diff File Expand all files Collapse all files
analyzer/tcp/http.go
+2 -2
View File
@@ -130,8 +130,8 @@ func (s *httpStream) parseResponseLine() utils.LSMAction {
return utils.LSMActionCancel
}
version := fields[0]
status, _ := strconv.Atoi(fields[1])
if !strings.HasPrefix(version, "HTTP/") || status == 0 {
status, err := strconv.Atoi(fields[1])
if err != nil || !strings.HasPrefix(version, "HTTP/") || status == 0 {
// Invalid version
return utils.LSMActionCancel
}
analyzer/tcp/tls.go
+4 -2
View File
@@ -6,6 +6,8 @@ import (
"git.difuse.io/Difuse/Mellaris/analyzer/utils"
)
const maxHandshakeLen = 65536
var _ analyzer.TCPAnalyzer = (*TLSAnalyzer)(nil)
type TLSAnalyzer struct{}
@@ -123,7 +125,7 @@ func (s *tlsStream) tlsClientHelloPreprocess() utils.LSMAction {
}
s.clientHelloLen = int(header[6])<<16 | int(header[7])<<8 | int(header[8])
if s.clientHelloLen < minDataSize {
if s.clientHelloLen < minDataSize || s.clientHelloLen > maxHandshakeLen {
return utils.LSMActionCancel
}
@@ -167,7 +169,7 @@ func (s *tlsStream) tlsServerHelloPreprocess() utils.LSMAction {
}
s.serverHelloLen = int(header[6])<<16 | int(header[7])<<8 | int(header[8])
if s.serverHelloLen < minDataSize {
if s.serverHelloLen < minDataSize || s.serverHelloLen > maxHandshakeLen {
return utils.LSMActionCancel
}
analyzer/udp/openvpn.go
+3 -2
View File
@@ -38,6 +38,7 @@ const (
OpenVPNMinPktLen = 6
OpenVPNTCPPktDefaultLimit = 256
OpenVPNUDPPktDefaultLimit = 256
OpenVPNTCPMaxPktLen = 4096
)
type OpenVPNAnalyzer struct{}
@@ -195,7 +196,7 @@ func newOpenVPNUDPStream(logger analyzer.Logger) *openvpnUDPStream {
}
func (o *openvpnUDPStream) Feed(rev bool, data []byte) (u *analyzer.PropUpdate, d bool) {
if len(data) == 0 {
if len(data) < OpenVPNMinPktLen {
return nil, false
}
var update *analyzer.PropUpdate
@@ -338,7 +339,7 @@ func (o *openvpnTCPStream) parsePkt(rev bool) (p *openvpnPkt, action utils.LSMAc
return nil, utils.LSMActionPause
}
if pktLen < OpenVPNMinPktLen {
if pktLen < OpenVPNMinPktLen || pktLen > OpenVPNTCPMaxPktLen {
return nil, utils.LSMActionCancel
}
analyzer/udp/quic.go
+4
View File
@@ -14,6 +14,7 @@ import (
const (
quicInvalidCountThreshold = 16
quicMaxCryptoDataLen = 256 * 1024
quicMaxFrameEntries = 100
)
var (
@@ -158,6 +159,9 @@ func (s *quicStream) mergeFrame(offset int64, data []byte) {
if len(data) == 0 || offset < 0 {
return
}
if len(s.frames) >= quicMaxFrameEntries {
return
}
if s.frames == nil {
s.frames = make(map[int64][]byte)
}