From 63c7f5e686c51223ca42040b035671dfa4f57494 Mon Sep 17 00:00:00 2001
From: Darien Raymond <admin@v2ray.com>
Date: Wed, 8 Aug 2018 00:26:01 +0200
Subject: [PATCH] check payload length before decrypting it. fixes #1227

---
 transport/internet/kcp/io.go      |  4 ++++
 transport/internet/kcp/io_test.go | 36 +++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+)

diff --git a/transport/internet/kcp/io.go b/transport/internet/kcp/io.go
index 8fcd879f..7b7b0011 100644
--- a/transport/internet/kcp/io.go
+++ b/transport/internet/kcp/io.go
@@ -30,6 +30,10 @@ func (r *KCPPacketReader) Read(b []byte) []Segment {
 	}
 	if r.Security != nil {
 		nonceSize := r.Security.NonceSize()
+		overhead := r.Security.Overhead()
+		if len(b) <= nonceSize+overhead {
+			return nil
+		}
 		out, err := r.Security.Open(b[nonceSize:nonceSize], b[:nonceSize], b[nonceSize:], nil)
 		if err != nil {
 			return nil
diff --git a/transport/internet/kcp/io_test.go b/transport/internet/kcp/io_test.go
index 6086d867..68838fc8 100644
--- a/transport/internet/kcp/io_test.go
+++ b/transport/internet/kcp/io_test.go
@@ -1 +1,37 @@
 package kcp_test
+
+import (
+	"testing"
+
+	. "v2ray.com/core/transport/internet/kcp"
+)
+
+func TestKCPPacketReader(t *testing.T) {
+	reader := KCPPacketReader{
+		Security: &SimpleAuthenticator{},
+	}
+
+	testCases := []struct {
+		Input  []byte
+		Output []Segment
+	}{
+		{
+			Input:  []byte{},
+			Output: nil,
+		},
+		{
+			Input:  []byte{1},
+			Output: nil,
+		},
+	}
+
+	for _, testCase := range testCases {
+		seg := reader.Read(testCase.Input)
+		if testCase.Output == nil && seg != nil {
+			t.Errorf("Expect nothing returned, but actually %v", seg)
+		} else if testCase.Output != nil && seg == nil {
+			t.Errorf("Expect some output, but got nil")
+		}
+	}
+
+}