From 53ffa547116a664814238dbe5bf9c18372d6aa18 Mon Sep 17 00:00:00 2001
From: itaispiegel <itai.spiegel@gmail.com>
Date: Fri, 1 Mar 2024 22:18:18 +0200
Subject: [PATCH] Handle possible errors in packet sending in proxy

---
 examples/rules.txt     |  2 +-
 user/pkg/proxy/ftp.go  | 13 +++++++++++--
 user/pkg/proxy/http.go | 15 +++++++++++----
 3 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/examples/rules.txt b/examples/rules.txt
index a045338..c3abea5 100755
--- a/examples/rules.txt
+++ b/examples/rules.txt
@@ -1,7 +1,7 @@
 loopback any 127.0.0.1/8 127.0.0.1/8 any any any any accept
 http any 10.1.1.1/32 10.1.2.2/32 TCP >1023 80 any accept
 http any 10.1.1.1/32 10.1.2.2/32 TCP >1023 8000 any accept
-åftp any 10.1.1.1/32 10.1.2.2/32 TCP >1023 21 any accept
+ftp any 10.1.1.1/32 10.1.2.2/32 TCP >1023 21 any accept
 GW_attack any any 10.0.2.15/32 any any any any drop
 spoof1 in 10.1.1.1/24 any any any any any drop
 spoof2 out 10.1.2.2/24 any any any any any drop
diff --git a/user/pkg/proxy/ftp.go b/user/pkg/proxy/ftp.go
index 390bdd5..6a404de 100644
--- a/user/pkg/proxy/ftp.go
+++ b/user/pkg/proxy/ftp.go
@@ -66,13 +66,22 @@ func allowFtpDataConnection(data []byte, dest net.Conn, logger zerolog.Logger) b
 			ipToFtpRepresentation(proxyIpAddr),
 			clientDataAddr.Port/256, clientDataAddr.Port%256,
 		)
-		dest.Write([]byte(payloadToServer))
+		if _, err := dest.Write([]byte(payloadToServer)); err != nil {
+			log.Error().Err(err).
+				Str("clientAddr", clientDataAddr.String()).
+				Str("serverAddr", serverDataAddr.String()).
+				Msg("Error sending FTP data connection payload to server, blocking connection")
+			return false
+		}
 		log.Info().
 			Str("bindAddr", clientDataAddr.String()).
 			Str("serverAddr", serverDataAddr.String()).
 			Msg("Successfully allowed new FTP data connection")
 	} else {
-		dest.Write(data)
+		if _, err := dest.Write(data); err != nil {
+			logger.Error().Err(err).Msg("Error forwarding data")
+			return false
+		}
 	}
 	return true
 }
diff --git a/user/pkg/proxy/http.go b/user/pkg/proxy/http.go
index 6bcf813..75f0dd3 100644
--- a/user/pkg/proxy/http.go
+++ b/user/pkg/proxy/http.go
@@ -15,7 +15,7 @@ var dangerousContentTypes = []string{
 	"application/zip",
 }
 
-func sendBlockedResponse(dest net.Conn) {
+func sendBlockedResponse(dest net.Conn) error {
 	resp := http.Response{
 		Status:     "403 Forbidden",
 		StatusCode: 403,
@@ -27,7 +27,7 @@ func sendBlockedResponse(dest net.Conn) {
 		Body: io.NopCloser(strings.NewReader("Blocked by Firewall\n")),
 	}
 
-	resp.Write(dest)
+	return resp.Write(dest)
 }
 
 func blockDangerousFilesCallback(data []byte, dest net.Conn, logger zerolog.Logger) bool {
@@ -36,7 +36,11 @@ func blockDangerousFilesCallback(data []byte, dest net.Conn, logger zerolog.Logg
 		contentType := string(matches[1])
 		for i := range dangerousContentTypes {
 			if contentType == dangerousContentTypes[i] {
-				sendBlockedResponse(dest)
+				if err := sendBlockedResponse(dest); err != nil {
+					logger.Error().Err(err).Msg("Error sending blocked response")
+					return false
+				}
+
 				logger.Warn().Str("srcAddr", dest.LocalAddr().String()).
 					Str("destAddr", dest.RemoteAddr().String()).
 					Msg("Blocked CSV file")
@@ -44,7 +48,10 @@ func blockDangerousFilesCallback(data []byte, dest net.Conn, logger zerolog.Logg
 			}
 		}
 	}
-	dest.Write(data)
+	if _, err := dest.Write(data); err != nil {
+		logger.Error().Err(err).Msg("Error forwarding data")
+		return false
+	}
 	return true
 }