Random crash with "panic: runtime error: index out of range [1] with length 1" in .(*HttpRequest).Tidy

[Abradox]

Version

0.12.0

Operating System

Debian 12 (Raspberry Pi OS)

How are you running SpoofDPI?

I'm using Raspberry Pi OS (aarch64) based on Debian 12 and start with args:
./spoofdpi -addr 192.168.1.10

Tried to use binaries from release page, and later build by myself with latest golang 1.23.1 - no differences.

Description

Get random crashes with output:

INF 2024-09-29T14:50:58+03:00 [PROXY] created a listener on port 8080
panic: runtime error: index out of range [1] with length 1

goroutine 121257 [running]:
github.com/xvzc/SpoofDPI/packet.(*HttpRequest).Tidy(0x400011ee00)
/home/abradox/src/SpoofDPI/packet/http.go:117 +0x260
github.com/xvzc/SpoofDPI/proxy.(*Proxy).Start.func1()
/home/abradox/src/SpoofDPI/proxy/proxy.go:82 +0x278
created by github.com/xvzc/SpoofDPI/proxy.(*Proxy).Start in goroutine 7
/home/abradox/src/SpoofDPI/proxy/proxy.go:71 +0x59c

[Abradox]

Have added an if statement to find out what is in first position of array. Will wait for this situation again to get more info...
if len(parts) == 1 {
fmt.Printf("TIDY HAS ONE ELEMENT!\n")
fmt.Printf("%s\n", parts[0])
}

Result:
TIDY HAS ONE ELEMENT!
CONNECT firebase-settings.crashlytics.com:443 HTTP/1.1

[Ledorub]

What client did you use to send the request which caused panic?

[Ledorub]

The error is caused by this line:

SpoofDPI/packet/http.go

Line 117 in a2993ac

buf.WriteString(parts[1])

Here the HTTP request is split in two by an empty line.

SpoofDPI/packet/http.go

Line 100 in a2993ac

parts := strings.Split(s, "\r\n\r\n")

The RFC 7230 Section 3 describes the HTTP message syntax:

All HTTP/1.1 messages consist of a start-line followed by a sequence
of octets in a format similar to the Internet Message Format
[RFC5322]: zero or more header fields (collectively referred to as
the "headers" or the "header section"), an empty line indicating the
end of the header section, and an optional message body.

 HTTP-message   = start-line
                  *( header-field CRLF )
                  CRLF
                  [ message-body ]

When request does not contain an empty line (CRLF), there is only one element in the list, which makes SpoofDPI panic. The request sent by the client is malformed.

Judging from your output, the client also does not include a mandatory Host header.
RFC 7230 Section 5.4 states:

A client MUST send a Host header field in all HTTP/1.1 request
messages.

[Abradox]

Yes, probably it just a bad request, but i think program should not crash anyway... There should be a way to just drop that package and close connection with client (or just ignore).

[Ledorub]

should not crash anyway

Yes.