[Bug] sing-box 1.12.15 nil pointer panic SIGSEGV occasionally in high-rate many connections environment (for example, torrent)

[craftfever]

Operating system

Linux

System version

Arch Linux, kernel version 6.18.3

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

sing-box version 1.12.15

Environment: go1.25.5 X:nodwarf5 linux/amd64
Tags: with_gvisor,with_quic,with_dhcp,with_wireguard,with_utls,with_acme,with_clash_api,with_tailscale
CGO: enabled

Description

In a lot of connections situation environment (such as torrenting), sing-box can crash with the following error:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x140 pc=0x55f06f78cc6d]

goroutine 3078637 [running]:
github.com/sagernet/sing/common/buf.(*Buffer).Write(...)
	github.com/sagernet/sing@v0.7.14/common/buf/buffer.go:107
github.com/sagernet/sing-vmess/vless.WriteRequest({0x7fbb90043928, 0xc0080475c0}, {{0x1c, 0x7f, 0xcc, 0x38, 0xe6, 0xbe, 0x43, 0xc5, ...}, ...}, ...)
	github.com/sagernet/sing-vmess@v0.2.7/vless/protocol.go:171 +0x513
github.com/sagernet/sing-vmess/vless.(*Conn).Write(0xc005fa3420, {0x0?, 0x1c0, 0x0?})
	github.com/sagernet/sing-vmess@v0.2.7/vless/client.go:136 +0xf3
github.com/sagernet/sing-box/route.(*ConnectionManager).connectionCopy(0xc0003443c0, {0x55f0712e68c0, 0xc008258e40}, {0x55f0712f2d08, 0xc007c19068}, {0x55f0712f65f0, 0xc005fa3420}, 0x0, 0xc01a80097c, 0xc008b0a1e0)
	github.com/sagernet/sing-box/route/conn.go:240 +0x267
created by github.com/sagernet/sing-box/route.(*ConnectionManager).NewConnection in goroutine 3070576
	github.com/sagernet/sing-box/route/conn.go:105 +0x86f

Config (without sensistiive data):

{
    "certificate": {
        "store": "system"
    },
    "dns": {
        "rules": [
            {
                "action": "predefined",
                "answer": "localhost. IN A 127.0.0.1",
                "domain": "localhost",
                "query_type": "A",
                "rcode": "NOERROR"
            },
            {
                "action": "predefined",
                "answer": "localhost. IN AAAA ::1",
                "domain": "localhost",
                "query_type": "AAAA",
                "rcode": "NOERROR"
            }
        ],
        "servers": [
            {
                "detour": "proxy",
                "domain_resolver": "dns-local",
                "server": "1.1.1.1",
                "tag": "dns-remote",
                "type": "tls"
            },
            {
                "domain_resolver": "dns-local",
                "tag": "dns-direct",
                "type": "local"
            },
            {
                "tag": "dns-local",
                "type": "local"
            }
        ]
    },
    "endpoints": [
    ],
    "experimental": {
        "cache_file": {
            "enabled": true,
            "store_fakeip": true,
            "store_rdrc": true
        }
    },
    "inbounds": [
        {
            "listen": "127.0.0.1",
            "listen_port": 53,
            "tag": "hijack",
            "type": "direct"
        },
        {
            "listen": "127.0.0.1",
            "listen_port": 2580,
            "tag": "mixed-in",
            "type": "mixed"
        },
        {
            "address": [
                "172.19.0.1/24"
            ],
            "auto_redirect": true,
            "auto_route": true,
            "interface_name": "sing-box-tun",
            "mtu": 1500,
            "route_exclude_address": [
                "127.0.0.0/8",
                "127.0.0.1/8"
            ],
            "stack": "system",
            "strict_route": true,
            "tag": "tun-in",
            "type": "tun"
        }
    ],
    "log": {
        "level": "panic"
    },
    "outbounds": [
        {
            "packet_encoding": "xudp",
            "server": "{server_ip}",
            "server_port": {port},
            "tag": "proxy",
            "tls": {
                "enabled": true,
                "insecure": true,
                "reality": {
                    "enabled": true,
                    "public_key": "{key}",
                    "short_id": "{id}"
                },
                "server_name": "{sni}",
                "utls": {
                    "enabled": true,
                    "fingerprint": "chrome"
                }
            },
            "transport": {
            },
            "type": "vless",
            "udp_fragment": true,
            "uuid": "{uuid}"
        },
        {
            "tag": "direct",
            "type": "direct"
        }
    ],
    "route": {
        "auto_detect_interface": true,
        "default_domain_resolver": {
            "server": "dns-direct",
            "strategy": "ipv4_only"
        },
        "final": "proxy",
        "rule_set": [
        ],
        "rules": [
            
          {
                "action": "sniff",
                "inbound": [
                    "mixed-in",
                    "tun-in"
                ]
          },
            {
                "action": "resolve",
                "inbound": [
                    "mixed-in",
                    "tun-in"
                ],
                "strategy": "prefer_ipv4"
            },
            {
                "action": "sniff",
                "inbound": [
                    "hijack"
                ]
            },
            {
                "action": "hijack-dns",
                "protocol": "dns"
            },
            {
                "action": "route",
                "ip_cidr": [
                    "127.0.0.1/8"
                ],
                "outbound": "direct"
            }
        ]
    }
}

Reproduction

1. Run sing-box with tun enabled config
2. Run torrent program through sing-box's tun
3. Expect random crash, that can occur suddenly

Logs

Supporter

• I am a sponsor

Integrity requirements

• I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
• I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
• I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
• I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

[nekohasekai]

Could you check if this has been correctly fixed in the latest stable version?

[craftfever]

Could you check if this has been correctly fixed in the latest stable version?

It happened again at 1.12.17, it can happen occasionally, after a long period of stable run. On 1.12.18 I don't expecting this error (yet? or permanently, I don't know)