There is a buffer overflow bug in Shadowsocks UDP packet encoding. In the EncodeUDPPacket function of proxy/shadowsocks/protocol.go, a fixed-size buffer of 2048 bytes is created using buf.New().

However, the actual size of a UDP packet includes:
IV: 16 bytes (e.g., for aes-128-gcm)
Destination address: 7~258 bytes (depending on IPv4/IPv6/domain)
Payload: variable, up to 2048 bytes
AEAD authentication tag: 16 bytes
When the incoming payload is large (close to 2048 bytes), the total size exceeds the buffer capacity. When b.Extend() is called in AEADCipher.EncodePacket() to allocate space for the authentication tag, it triggers panic: extending out of bound, causing the process to crash.
Fix
Before creating the buffer, calculate the required buffer size based on IV length, maximum address length (258 bytes), payload length, and AEAD overhead (16 bytes). If the required size exceeds the default buffer size (2048 bytes), use buf.NewWithSize() to allocate a sufficiently large buffer.

Author: varian-feng

proxy/shadowsocks/protocol.go

@@ -186,19 +186,30 @@ func EncodeUDPPacket(request *protocol.RequestHeader, payload []byte) (*buf.Buff
 	user := request.User
 	account := user.Account.(*MemoryAccount)
 
-	buffer := buf.New()
 	ivLen := account.Cipher.IVSize()
+	// Calculate required buffer size: IV + max address length (1+255+2) + payload + AEAD overhead (16)
+	neededSize := ivLen + 258 + int32(len(payload)) + 16
+
+	var buffer *buf.Buffer
+	if neededSize > buf.Size {
+		buffer = buf.NewWithSize(neededSize)
+	} else {
+		buffer = buf.New()
+	}
+
 	if ivLen > 0 {
 		common.Must2(buffer.ReadFullFrom(rand.Reader, ivLen))
 	}
 
 	if err := addrParser.WriteAddressPort(buffer, request.Address, request.Port); err != nil {
+		buffer.Release()
 		return nil, newError("failed to write address").Base(err)
 	}
 
 	buffer.Write(payload)
 
 	if err := account.Cipher.EncodePacket(account.Key, buffer); err != nil {
+		buffer.Release()
 		return nil, newError("failed to encrypt UDP payload").Base(err)
 	}