fix: eliminate stale verdict poisoning, memory leaks, data races, and per-packet allocations in engine

analyzer/udp/openvpn.go

@@ -38,6 +38,7 @@ const (
 	OpenVPNMinPktLen          = 6
 	OpenVPNTCPPktDefaultLimit = 256
 	OpenVPNUDPPktDefaultLimit = 256
+	OpenVPNTCPMaxPktLen       = 4096
 )
 
 type OpenVPNAnalyzer struct{}
@@ -195,7 +196,7 @@ func newOpenVPNUDPStream(logger analyzer.Logger) *openvpnUDPStream {
 }
 
 func (o *openvpnUDPStream) Feed(rev bool, data []byte) (u *analyzer.PropUpdate, d bool) {
-	if len(data) == 0 {
+	if len(data) < OpenVPNMinPktLen {
 		return nil, false
 	}
 	var update *analyzer.PropUpdate
@@ -338,7 +339,7 @@ func (o *openvpnTCPStream) parsePkt(rev bool) (p *openvpnPkt, action utils.LSMAc
 		return nil, utils.LSMActionPause
 	}
 
-	if pktLen < OpenVPNMinPktLen {
+	if pktLen < OpenVPNMinPktLen || pktLen > OpenVPNTCPMaxPktLen {
 		return nil, utils.LSMActionCancel
 	}
 

analyzer/udp/quic.go

@@ -14,6 +14,7 @@ import (
 const (
 	quicInvalidCountThreshold = 16
 	quicMaxCryptoDataLen      = 256 * 1024
+	quicMaxFrameEntries        = 100
 )
 
 var (
@@ -158,6 +159,9 @@ func (s *quicStream) mergeFrame(offset int64, data []byte) {
 	if len(data) == 0 || offset < 0 {
 		return
 	}
+	if len(s.frames) >= quicMaxFrameEntries {
+		return
+	}
 	if s.frames == nil {
 		s.frames = make(map[int64][]byte)
 	}