fix(ip-restriction): protect usrIpRstrct from concurrent access

XTLS · Jul 19, 2023 · e1843be · e1843be
1 parent 6a0ff0e
commit e1843be
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 0 deletions.
diff --git a/proxy/trojan/server.go b/proxy/trojan/server.go
@@ -5,6 +5,7 @@ import (
 	"io"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/xtls/xray-core/common"
@@ -35,6 +36,8 @@ func init() {
 
 // Server is an inbound connection handler that handles messages in trojan protocol.
 type Server struct {
+	sync.Mutex
+
 	policyManager policy.Manager
 	validator     *Validator
 	fallbacks     map[string]map[string]map[string]*Fallback // or nil
@@ -225,12 +228,15 @@ func (s *Server) Process(ctx context.Context, network net.Network, conn stat.Con
 		addr := conn.RemoteAddr().(*net.TCPAddr)
 
 		uniqueIps := make(map[string]bool)
+
+		s.Lock()
 		// Iterate through the connections and find unique used IP addresses withing last 30 seconds.
 		for _, conn := range *usrIpRstrct {
 			if conn.User == user.Email && !conn.IpAddress.Equal(addr.IP) && ((time.Now().Unix() - conn.Time) < 30) {
 				uniqueIps[conn.IpAddress.String()] = true
 			}
 		}
+		s.Unlock()
 
 		if (len(uniqueIps) >= int(user.IpLimit)) {
 			return newError("User ", user, " has exceeded their allowed IPs.").AtWarning()

diff --git a/proxy/vless/inbound/inbound.go b/proxy/vless/inbound/inbound.go
@@ -10,6 +10,7 @@ import (
 	"reflect"
 	"strconv"
 	"strings"
+	"sync"
 	"syscall"
 	"time"
 	"unsafe"
@@ -53,6 +54,8 @@ func init() {
 
 // Handler is an inbound connection handler that handles messages in VLess protocol.
 type Handler struct {
+	sync.Mutex
+
 	inboundHandlerManager feature_inbound.Manager
 	policyManager         policy.Manager
 	validator             *vless.Validator
@@ -451,12 +454,15 @@ func (h *Handler) Process(ctx context.Context, network net.Network, connection s
 		addr := connection.RemoteAddr().(*net.TCPAddr)
 
 		uniqueIps := make(map[string]bool)
+
+		h.Lock()
 		// Iterate through the connections and find unique used IP addresses withing last 30 seconds.
 		for _, conn := range *usrIpRstrct {
 			if conn.User == request.User.Email && !conn.IpAddress.Equal(addr.IP) && ((time.Now().Unix() - conn.Time) < 30) {
 				uniqueIps[conn.IpAddress.String()] = true
 			}
 		}
+		h.Unlock()
 
 		if (len(uniqueIps) >= int(request.User.IpLimit)) {
 			return newError("User ", request.User.Email, " has exceeded their allowed IPs.").AtWarning()

diff --git a/proxy/vmess/inbound/inbound.go b/proxy/vmess/inbound/inbound.go
@@ -97,6 +97,8 @@ func (v *userByEmail) Remove(email string) bool {
 
 // Handler is an inbound connection handler that handles messages in VMess protocol.
 type Handler struct {
+	sync.Mutex
+
 	policyManager         policy.Manager
 	inboundHandlerManager feature_inbound.Manager
 	clients               *vmess.TimedUserValidator
@@ -268,12 +270,14 @@ func (h *Handler) Process(ctx context.Context, network net.Network, connection s
 		addr := connection.RemoteAddr().(*net.TCPAddr)
 
 		uniqueIps := make(map[string]bool)
+		h.Lock()
 		// Iterate through the connections and find unique used IP addresses withing last 30 seconds.
 		for _, conn := range *usrIpRstrct {
 			if conn.User == request.User.Email && !conn.IpAddress.Equal(addr.IP) && ((time.Now().Unix() - conn.Time) < 30) {
 				uniqueIps[conn.IpAddress.String()] = true
 			}
 		}
+		h.Unlock()
 
 		if (len(uniqueIps) >= int(request.User.IpLimit)) {
 			return newError("User ", request.User.Email, " has exceeded their allowed IPs.").AtWarning()