From a8a88140af7fc3e76ec0e7c0d7f3c5d0819aaac6 Mon Sep 17 00:00:00 2001
From: nessi <sascha@nesterovic.cc>
Date: Thu, 19 Mar 2026 22:38:12 +0100
Subject: [PATCH] refactor: replace Peek with ReadFull in TLS ClientHello
 parsing to prevent buffering issues

Replace bufio.Reader.Peek calls with io.ReadFull for header and record body reading. Allocate header and full buffers explicitly and copy header into full buffer before reading remaining bytes. Remove redundant byte slice copy when returning full ClientHello data.
---
 deploy/access-proxy/main.go | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/deploy/access-proxy/main.go b/deploy/access-proxy/main.go
index 6e7afbb..e295420 100644
--- a/deploy/access-proxy/main.go
+++ b/deploy/access-proxy/main.go
@@ -166,23 +166,24 @@ func proxyCopy(errCh chan<- error, dst io.Writer, src io.Reader) {
 }
 
 func readClientHello(reader *bufio.Reader) ([]byte, string, error) {
-	header, err := reader.Peek(5)
-	if err != nil {
+	header := make([]byte, 5)
+	if _, err := io.ReadFull(reader, header); err != nil {
 		return nil, "", err
 	}
 	if header[0] != 22 {
 		return nil, "", errors.New("not a tls client hello")
 	}
 	recordLen := int(header[3])<<8 | int(header[4])
-	full, err := reader.Peek(5 + recordLen)
-	if err != nil {
+	full := make([]byte, 5+recordLen)
+	copy(full, header)
+	if _, err := io.ReadFull(reader, full[5:]); err != nil {
 		return nil, "", err
 	}
 	host, err := extractSNI(full)
 	if err != nil {
 		return nil, "", err
 	}
-	return append([]byte(nil), full...), host, nil
+	return full, host, nil
 }
 
 func extractSNI(packet []byte) (string, error) {