From cc1fa5dc690989a8b741d9e620e41ea73ef1bc4c Mon Sep 17 00:00:00 2001
From: toto <antitbone@jefaismonrhum.sdv.fr>
Date: Wed, 4 Mar 2026 11:24:09 +0100
Subject: [PATCH] fix: crash in parser with nil decode context

- Use gopacket.NewPacket with LinkTypeIPv4/IPv6 instead of DecodeFromBytes
- Fixes panic: runtime error: invalid memory address or nil pointer dereference
- Properly handles raw IP packets after SLL header stripping

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>

Co-authored-by: Qwen-Coder <qwen-coder@alibabacloud.com>
---
 internal/tlsparse/parser.go | 40 +++++++++++++------------------------
 1 file changed, 14 insertions(+), 26 deletions(-)

diff --git a/internal/tlsparse/parser.go b/internal/tlsparse/parser.go
index 7a89640..f458170 100644
--- a/internal/tlsparse/parser.go
+++ b/internal/tlsparse/parser.go
@@ -162,35 +162,23 @@ func (p *ParserImpl) Process(pkt api.RawPacket) (*api.TLSClientHello, error) {
 		ipLayer = packet.Layer(layers.LayerTypeIPv6)
 	}
 	tcpLayer = packet.Layer(layers.LayerTypeTCP)
-	
-	// If no IP/TCP layer found with Ethernet, try direct IP decoding
-	// This handles raw IP data (e.g., after stripping SLL header)
+
+	// If no IP/TCP layer found with Ethernet, try parsing as raw IP
+	// This handles stripped SLL data or other non-Ethernet formats
 	if ipLayer == nil || tcpLayer == nil {
-		// Try IPv4
-		ipv4 := &layers.IPv4{}
-		if err := ipv4.DecodeFromBytes(data, nil); err == nil {
-			ipLayer = ipv4
-			// Try to decode TCP from IPv4 payload
-			tcp := &layers.TCP{}
-			if err := tcp.DecodeFromBytes(ipv4.Payload, nil); err == nil {
-				tcpLayer = tcp
-			}
+		// Try parsing as raw IPv4 packet
+		rawPacket := gopacket.NewPacket(data, layers.LinkTypeIPv4, gopacket.Default)
+		ipLayer = rawPacket.Layer(layers.LayerTypeIPv4)
+		if ipLayer == nil {
+			// Try parsing as raw IPv6 packet
+			rawPacket = gopacket.NewPacket(data, layers.LinkTypeIPv6, gopacket.Default)
+			ipLayer = rawPacket.Layer(layers.LayerTypeIPv6)
+		}
+		if ipLayer != nil {
+			tcpLayer = rawPacket.Layer(layers.LayerTypeTCP)
 		}
 	}
-	
-	// Try IPv6 if IPv4 didn't work
-	if ipLayer == nil {
-		ipv6 := &layers.IPv6{}
-		if err := ipv6.DecodeFromBytes(data, nil); err == nil {
-			ipLayer = ipv6
-			// Try to decode TCP from IPv6 payload
-			tcp := &layers.TCP{}
-			if err := tcp.DecodeFromBytes(ipv6.Payload, nil); err == nil {
-				tcpLayer = tcp
-			}
-		}
-	}
-	
+
 	if ipLayer == nil {
 		return nil, nil // Not an IP packet
 	}