Clarify comment about switchToDirectCopy flag remaining true

Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>
Fix occasional SSL protocol error in XTLS Vision by deferring direct copy when rawInput has pending data
2026-01-14 22:52:36 +08:00 · 2026-01-11 10:36:28 +00:00 · 2026-01-11 10:33:21 +00:00 · 2026-01-11 10:20:09 +00:00
2 changed files with 19 additions and 29 deletions
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@@ -224,7 +224,8 @@ func (w *VisionReader) ReadMultiBuffer() (buf.MultiBuffer, error) {
 		switchToDirectCopy = &w.trafficState.Outbound.DownlinkReaderDirectCopy
 	}

-	if *switchToDirectCopy {
+	if *switchToDirectCopy && w.input == nil {
+		// Already switched to direct copy mode
 		if w.directReadCounter != nil {
 			w.directReadCounter.Add(int64(buffer.Len()))
 		}
@@ -257,11 +258,18 @@ func (w *VisionReader) ReadMultiBuffer() (buf.MultiBuffer, error) {

 	if *switchToDirectCopy {
 		// XTLS Vision processes TLS-like conn's input and rawInput
+		// input contains decrypted application data - safe to merge
 		if inputBuffer, err := buf.ReadFrom(w.input); err == nil && !inputBuffer.IsEmpty() {
 			buffer, _ = buf.MergeMulti(buffer, inputBuffer)
 		}
-		if rawInputBuffer, err := buf.ReadFrom(w.rawInput); err == nil && !rawInputBuffer.IsEmpty() {
-			buffer, _ = buf.MergeMulti(buffer, rawInputBuffer)
+		// rawInput may contain encrypted bytes for the next TLS record
+		// If rawInput is not empty, we should NOT switch to direct mode yet
+		// because those bytes need to be processed by the TLS layer first
+		if w.rawInput != nil && w.rawInput.Len() > 0 {
+			// rawInput has pending data - defer direct copy to next read
+			// *switchToDirectCopy remains true (unchanged), so we will retry on the next ReadMultiBuffer call
+			// This ensures we don't mix encrypted bytes with application data
+			return buffer, err
 		}
 		*w.input = bytes.Reader{} // release memory
 		w.input = nil
--- a/proxy/wireguard/server.go
+++ b/proxy/wireguard/server.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	goerrors "errors"
 	"io"
-	"sync"

 	"github.com/xtls/xray-core/common"
 	"github.com/xtls/xray-core/common/buf"
@@ -27,7 +26,6 @@ var nullDestination = net.TCPDestination(net.AnyIP, 0)
 type Server struct {
 	bindServer *netBindServer

-	infoMu        sync.RWMutex
 	info          routingInfo
 	policyManager policy.Manager
 }
@@ -80,14 +78,12 @@ func (*Server) Network() []net.Network {

 // Process implements proxy.Inbound.
 func (s *Server) Process(ctx context.Context, network net.Network, conn stat.Connection, dispatcher routing.Dispatcher) error {
-	s.infoMu.Lock()
 	s.info = routingInfo{
 		ctx:        ctx,
 		dispatcher: dispatcher,
 		inboundTag: session.InboundFromContext(ctx),
 		contentTag: session.ContentFromContext(ctx),
 	}
-	s.infoMu.Unlock()

 	ep, err := s.bindServer.ParseEndpoint(conn.RemoteAddr().String())
 	if err != nil {
@@ -124,23 +120,18 @@ func (s *Server) Process(ctx context.Context, network net.Network, conn stat.Con
 }

 func (s *Server) forwardConnection(dest net.Destination, conn net.Conn) {
-	// Make a thread-safe copy of routing info
-	s.infoMu.RLock()
-	info := s.info
-	s.infoMu.RUnlock()
-
-	if info.dispatcher == nil {
-		errors.LogError(info.ctx, "unexpected: dispatcher == nil")
+	if s.info.dispatcher == nil {
+		errors.LogError(s.info.ctx, "unexpected: dispatcher == nil")
 		return
 	}
 	defer conn.Close()

-	ctx, cancel := context.WithCancel(core.ToBackgroundDetachedContext(info.ctx))
+	ctx, cancel := context.WithCancel(core.ToBackgroundDetachedContext(s.info.ctx))
 	sid := session.NewID()
 	ctx = c.ContextWithID(ctx, sid)
 	inbound := session.Inbound{} // since promiscuousModeHandler mixed-up context, we shallow copy inbound (tag) and content (configs)
-	if info.inboundTag != nil {
-		inbound = *info.inboundTag
+	if s.info.inboundTag != nil {
+		inbound = *s.info.inboundTag
 	}
 	inbound.Name = "wireguard"
 	inbound.CanSpliceCopy = 3
@@ -150,8 +141,8 @@ func (s *Server) forwardConnection(dest net.Destination, conn net.Conn) {
 	// Currently we have no way to link to the original source address
 	inbound.Source = net.DestinationFromAddr(conn.RemoteAddr())
 	ctx = session.ContextWithInbound(ctx, &inbound)
-	if info.contentTag != nil {
-		ctx = session.ContextWithContent(ctx, info.contentTag)
+	if s.info.contentTag != nil {
+		ctx = session.ContextWithContent(ctx, s.info.contentTag)
 	}
 	ctx = session.SubContextFromMuxInbound(ctx)

@@ -165,16 +156,7 @@ func (s *Server) forwardConnection(dest net.Destination, conn net.Conn) {
 		Reason: "",
 	})

-	// Set inbound and content tags from routing info for proper routing
-	// These were commented out in PR #4030 but are needed for domain-based routing
-	if info.inboundTag != nil {
-		ctx = session.ContextWithInbound(ctx, info.inboundTag)
-	}
-	if info.contentTag != nil {
-		ctx = session.ContextWithContent(ctx, info.contentTag)
-	}
-
-	link, err := info.dispatcher.Dispatch(ctx, dest)
+	link, err := s.info.dispatcher.Dispatch(ctx, dest)
 	if err != nil {
 		errors.LogErrorInner(ctx, err, "dispatch connection")
 	}
Author	SHA1	Message	Date
copilot-swe-agent[bot]	8ca03fa94e	Clarify comment about switchToDirectCopy flag remaining true Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>	2026-01-11 10:36:28 +00:00
copilot-swe-agent[bot]	bdfd1d27b5	Fix occasional SSL protocol error in XTLS Vision by deferring direct copy when rawInput has pending data Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>	2026-01-11 10:33:21 +00:00
copilot-swe-agent[bot]	e9774fc237	Initial plan	2026-01-11 10:20:09 +00:00