From 6738ecf68ec5c31e91a2d5ec0b539ea5745ce092 Mon Sep 17 00:00:00 2001 From: ari-ahm <154451491+ari-ahm@users.noreply.github.com> Date: Fri, 26 Dec 2025 23:47:24 +0330 Subject: [PATCH] common/uuid: fix panic when parsing 32-len invalid UUID string. (#5468) * common/uuid: fix panic when parsing 32-len invalid UUID string. * fix: removed typo --- common/uuid/uuid.go | 6 +++++- common/uuid/uuid_test.go | 5 +++++ proxy/vless/encoding/encoding.go | 2 +- 3 files changed, 11 insertions(+), 2 deletions(-) diff --git a/common/uuid/uuid.go b/common/uuid/uuid.go index 4ede12e6..ef6da4cb 100644 --- a/common/uuid/uuid.go +++ b/common/uuid/uuid.go @@ -85,10 +85,14 @@ func ParseString(str string) (UUID, error) { b := uuid.Bytes() for _, byteGroup := range byteGroups { - if text[0] == '-' { + if len(text) > 0 && text[0] == '-' { text = text[1:] } + if len(text) < byteGroup { + return uuid, errors.New("invalid UUID: ", str) + } + if _, err := hex.Decode(b[:byteGroup/2], text[:byteGroup]); err != nil { return uuid, err } diff --git a/common/uuid/uuid_test.go b/common/uuid/uuid_test.go index 6f26ca5b..7d909a78 100644 --- a/common/uuid/uuid_test.go +++ b/common/uuid/uuid_test.go @@ -44,6 +44,11 @@ func TestParseString(t *testing.T) { if err == nil { t.Fatal("Expect error but nil") } + + _, err = ParseString("2418d087-648d-4990-86e8-19dca1d0") + if err == nil { + t.Fatal("Expect error but nil") + } } func TestNewUUID(t *testing.T) { diff --git a/proxy/vless/encoding/encoding.go b/proxy/vless/encoding/encoding.go index b3b43bac..6cbacd8d 100644 --- a/proxy/vless/encoding/encoding.go +++ b/proxy/vless/encoding/encoding.go @@ -93,7 +93,7 @@ func DecodeRequestHeader(isfb bool, first *buf.Buffer, reader io.Reader, validat if request.User = validator.Get(id); request.User == nil { u := uuid.UUID(id) - return nil, nil, nil, isfb, errors.New("invalid request user id: %s" + u.String()) + return nil, nil, nil, isfb, errors.New("invalid request user id: " + u.String()) } if isfb {