🫦 The stored server session ID must not reuse packet buffer

Author: database64128

client/client.go

@@ -18,6 +18,7 @@ import (
 	"github.com/Shadowsocks-NET/outline-ss-server/slicepool"
 	"github.com/Shadowsocks-NET/outline-ss-server/socks"
 	"github.com/database64128/tfo-go"
+	"go.uber.org/zap"
 	wgreplay "golang.zx2c4.com/wireguard/replay"
 )
 
@@ -507,16 +508,25 @@ func (c *packetConn) unpackAndValidatePacket(dst, src []byte) (socksAddrStart in
 				return
 			}
 			sessionStatus = newServerSession
-			ssid = dst[:8]
+			ssid = make([]byte, 8)
+			copy(ssid, dst[:8])
 			saead, err = c.cipher.NewAEAD(ssid)
 			if err != nil {
 				return
 			}
 			// Delay sfilter creation after validation to avoid a possibly unnecessary allocation.
 		}
 
+		logger.Debug("Checked server session ID",
+			zap.Int("sessionStatus", sessionStatus),
+			zap.Binary("dst[:8]", dst[:8]),
+			zap.Binary("serverSessionID", ssid),
+			zap.Binary("currentServerSessionID", c.cssid),
+			zap.Binary("oldServerSessionID", c.ossid),
+		)
+
 		// Unpack
-		buf, err = ss.UnpackAesWithSeparateHeader(dst, src, nil, c.cipher, saead)
+		buf, err = ss.UnpackAesWithSeparateHeader(dst, src, nil, saead)
 		if err != nil {
 			return
 		}
@@ -543,10 +553,19 @@ func (c *packetConn) unpackAndValidatePacket(dst, src []byte) (socksAddrStart in
 				return
 			}
 			sessionStatus = newServerSession
-			ssid = buf[:8]
+			ssid = make([]byte, 8)
+			copy(ssid, buf[:8])
 			// Delay sfilter creation after validation to avoid a possibly unnecessary allocation.
 		}
 
+		logger.Debug("Checked server session ID",
+			zap.Int("sessionStatus", sessionStatus),
+			zap.Binary("buf[:8]", buf[:8]),
+			zap.Binary("serverSessionID", ssid),
+			zap.Binary("currentServerSessionID", c.cssid),
+			zap.Binary("oldServerSessionID", c.ossid),
+		)
+
 	default:
 		plaintextStart, buf, err = ss.Unpack(dst, src, c.cipher)
 		if err != nil {

service/udp.go

@@ -339,7 +339,7 @@ func decryptAndGetOrCreateSession(id string, c *ss.Cipher, clientAddr *net.UDPAd
 			ses = newSession(separateHeader[:8], ssid, caead, saead, clientAddr)
 		}
 
-		buf, err = ss.UnpackAesWithSeparateHeader(dst, src, separateHeader, c, ses.caead)
+		buf, err = ss.UnpackAesWithSeparateHeader(dst, src, separateHeader, ses.caead)
 		if err != nil {
 			onetErr = onet.NewConnectionError("ERR_CIPHER", "Failed to unpack", err)
 			return

shadowsocks/packet.go

@@ -117,9 +117,10 @@ func Unpack(dst, pkt []byte, cipher *Cipher) (plaintextStart int, plaintext []by
 }
 
 // Unpack function for 2022-blake3-aes-256-gcm.
-// If separateHeader is nil, DecryptHeaderInPlace MUST be called before passing the ciphertext.
+// If separateHeader is nil, DecryptSeparateheader MUST be called to decrypte the separate header in-place
+// before passing the ciphertext.
 // The returned buffer includes the separate header.
-func UnpackAesWithSeparateHeader(dst, pkt, separateHeader []byte, cipher *Cipher, unpackAEAD cipher.AEAD) ([]byte, error) {
+func UnpackAesWithSeparateHeader(dst, pkt, separateHeader []byte, unpackAEAD cipher.AEAD) ([]byte, error) {
 	if len(pkt) <= 16+unpackAEAD.Overhead() {
 		return nil, ErrShortPacket
 	}