Clarify comment about switchToDirectCopy flag remaining true

Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>

app/dns/nameserver_udp.go

@@ -160,7 +160,7 @@ func (s *ClassicNameServer) getCacheController() *CacheController {
 }
 
 // sendQuery implements CachedNameserver.
-func (s *ClassicNameServer) sendQuery(ctx context.Context, _ chan<- error, fqdn string, option dns_feature.IPOption) {
+func (s *ClassicNameServer) sendQuery(ctx context.Context, noResponseErrCh chan<- error, fqdn string, option dns_feature.IPOption) {
 	errors.LogInfo(ctx, s.Name(), " querying DNS for: ", fqdn)
 
 	reqs := buildReqMsgs(fqdn, option, s.newReqID, genEDNS0Options(s.clientIP, 0))
@@ -171,7 +171,14 @@ func (s *ClassicNameServer) sendQuery(ctx context.Context, _ chan<- error, fqdn
 			ctx:        ctx,
 		}
 		s.addPendingRequest(udpReq)
-		b, _ := dns.PackMessage(req.msg)
+		b, err := dns.PackMessage(req.msg)
+		if err != nil {
+			errors.LogErrorInner(ctx, err, "failed to pack dns query")
+			if noResponseErrCh != nil {
+				noResponseErrCh <- err
+			}
+			return
+		}
 		copyDest := net.UDPDestination(s.address.Address, s.address.Port)
 		b.UDP = &copyDest
 		s.udpServer.Dispatch(toDnsContext(ctx, s.address.String()), *s.address, b)

proxy/proxy.go

@@ -224,7 +224,8 @@ func (w *VisionReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
 		switchToDirectCopy = &w.trafficState.Outbound.DownlinkReaderDirectCopy
 	}
 
-	if *switchToDirectCopy {
+	if *switchToDirectCopy && w.input == nil {
+		// Already switched to direct copy mode
 		if w.directReadCounter != nil {
 			w.directReadCounter.Add(int64(buffer.Len()))
 		}
@@ -257,11 +258,18 @@ func (w *VisionReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
 
 	if *switchToDirectCopy {
 		// XTLS Vision processes TLS-like conn's input and rawInput
+		// input contains decrypted application data - safe to merge
 		if inputBuffer, err := buf.ReadFrom(w.input); err == nil && !inputBuffer.IsEmpty() {
 			buffer, _ = buf.MergeMulti(buffer, inputBuffer)
 		}
-		if rawInputBuffer, err := buf.ReadFrom(w.rawInput); err == nil && !rawInputBuffer.IsEmpty() {
-			buffer, _ = buf.MergeMulti(buffer, rawInputBuffer)
+		// rawInput may contain encrypted bytes for the next TLS record
+		// If rawInput is not empty, we should NOT switch to direct mode yet
+		// because those bytes need to be processed by the TLS layer first
+		if w.rawInput != nil && w.rawInput.Len() > 0 {
+			// rawInput has pending data - defer direct copy to next read
+			// *switchToDirectCopy remains true (unchanged), so we will retry on the next ReadMultiBuffer call
+			// This ensures we don't mix encrypted bytes with application data
+			return buffer, err
 		}
 		*w.input = bytes.Reader{} // release memory
 		w.input = nil

proxy/wireguard/bind.go

@@ -124,26 +124,6 @@ type netBindClient struct {
 	ctx      context.Context
 	dialer   internet.Dialer
 	reserved []byte
-	
-	// Track all peer connections for unified reading
-	connMutex sync.RWMutex
-	conns     map[*netEndpoint]net.Conn
-	dataChan  chan *receivedData
-	closeChan chan struct{}
-	closeOnce sync.Once
-}
-
-const (
-	// Buffer size for dataChan - allows some buffering of received packets
-	// while dispatcher matches them with read requests
-	dataChannelBufferSize = 100
-)
-
-type receivedData struct {
-	data     []byte
-	n        int
-	endpoint *netEndpoint
-	err      error
 }
 
 func (bind *netBindClient) connectTo(endpoint *netEndpoint) error {
@@ -153,114 +133,34 @@ func (bind *netBindClient) connectTo(endpoint *netEndpoint) error {
 	}
 	endpoint.conn = c
 
-	// Initialize channels on first connection
-	bind.connMutex.Lock()
-	if bind.conns == nil {
-		bind.conns = make(map[*netEndpoint]net.Conn)
-		bind.dataChan = make(chan *receivedData, dataChannelBufferSize)
-		bind.closeChan = make(chan struct{})
-		
-		// Start unified reader dispatcher
-		go bind.unifiedReader()
-	}
-	bind.conns[endpoint] = c
-	bind.connMutex.Unlock()
-	
-	// Start a reader goroutine for this specific connection
-	go func(conn net.Conn, endpoint *netEndpoint) {
-		const maxPacketSize = 1500
+	go func(readQueue <-chan *netReadInfo, endpoint *netEndpoint) {
 		for {
-			select {
-			case <-bind.closeChan:
-				return
-			default:
-			}
-			
-			buf := make([]byte, maxPacketSize)
-			n, err := conn.Read(buf)
-			
-			// Send only the valid data portion to dispatcher
-			dataToSend := buf
-			if n > 0 && n < len(buf) {
-				dataToSend = buf[:n]
-			}
-			
-			// Send received data to dispatcher
-			select {
-			case bind.dataChan <- &receivedData{
-				data:     dataToSend,
-				n:        n,
-				endpoint: endpoint,
-				err:      err,
-			}:
-			case <-bind.closeChan:
+			v, ok := <-readQueue
+			if !ok {
 				return
 			}
-			
+			i, err := c.Read(v.buff)
+
+			if i > 3 {
+				v.buff[1] = 0
+				v.buff[2] = 0
+				v.buff[3] = 0
+			}
+
+			v.bytes = i
+			v.endpoint = endpoint
+			v.err = err
+			v.waiter.Done()
 			if err != nil {
-				bind.connMutex.Lock()
-				delete(bind.conns, endpoint)
 				endpoint.conn = nil
-				bind.connMutex.Unlock()
 				return
 			}
 		}
-	}(c, endpoint)
+	}(bind.readQueue, endpoint)
 
 	return nil
 }
 
-// unifiedReader dispatches received data to waiting read requests
-func (bind *netBindClient) unifiedReader() {
-	for {
-		select {
-		case data := <-bind.dataChan:
-			// Bounds check to prevent panic
-			if data.n > len(data.data) {
-				data.n = len(data.data)
-			}
-			
-			// Wait for a read request with timeout to prevent blocking forever
-			select {
-			case v := <-bind.readQueue:
-				// Copy data to request buffer
-				n := copy(v.buff, data.data[:data.n])
-				
-				// Clear reserved bytes if needed
-				if n > 3 {
-					v.buff[1] = 0
-					v.buff[2] = 0
-					v.buff[3] = 0
-				}
-				
-				v.bytes = n
-				v.endpoint = data.endpoint
-				v.err = data.err
-				v.waiter.Done()
-			case <-bind.closeChan:
-				return
-			}
-		case <-bind.closeChan:
-			return
-		}
-	}
-}
-
-// Close implements conn.Bind.Close for netBindClient
-func (bind *netBindClient) Close() error {
-	// Use sync.Once to prevent double-close panic
-	bind.closeOnce.Do(func() {
-		bind.connMutex.Lock()
-		if bind.closeChan != nil {
-			close(bind.closeChan)
-		}
-		bind.connMutex.Unlock()
-	})
-	
-	// Call parent Close
-	return bind.netBind.Close()
-}
-
 func (bind *netBindClient) Send(buff [][]byte, endpoint conn.Endpoint) error {
 	var err error
 

proxy/wireguard/client.go

@@ -114,12 +114,6 @@ func (h *Handler) processWireGuard(ctx context.Context, dialer internet.Dialer)
 	}
 
 	// bind := conn.NewStdNetBind() // TODO: conn.Bind wrapper for dialer
-	// Set workers to number of peers if not explicitly configured
-	// This allows concurrent packet reception from multiple peers
-	workers := int(h.conf.NumWorkers)
-	if workers <= 0 && len(h.conf.Peers) > 0 {
-		workers = len(h.conf.Peers)
-	}
 	h.bind = &netBindClient{
 		netBind: netBind{
 			dns: h.dns,
@@ -127,9 +121,9 @@ func (h *Handler) processWireGuard(ctx context.Context, dialer internet.Dialer)
 				IPv4Enable: h.hasIPv4,
 				IPv6Enable: h.hasIPv6,
 			},
-			workers: workers,
+			workers: int(h.conf.NumWorkers),
 		},
-		ctx:      core.ToBackgroundDetachedContext(ctx),
+		ctx:      ctx,
 		dialer:   dialer,
 		reserved: h.conf.Reserved,
 	}