blockcheck: fix missing quic fake escape

blockcheck.sh

@@ -668,7 +668,7 @@ curl_with_dig()
 	# $2 - domain name
 	# $3 - port
 	# $4+ - curl params
-	local dom=$2 port=$3
+	local dom="$2" port=$3
 	local sdom suri ip
 
 	split_by_separator "$dom" / sdom suri
@@ -687,12 +687,12 @@ curl_probe()
 	# $3 - port
 	# $4 - subst ip
 	# $5+ - curl params
-	local ipv=$1 dom=$2 port=$3 subst=$4
+	local ipv=$1 dom="$2" port=$3 subst=$4
 	shift; shift; shift; shift
 	if [ -n "$subst" ]; then
-		curl_with_subst_ip $dom $port $subst "$@"
+		curl_with_subst_ip "$dom" $port $subst "$@"
 	else
-		curl_with_dig $ipv $dom $port "$@"
+		curl_with_dig $ipv "$dom" $port "$@"
 	fi
 }
 curl_test_http()
@@ -702,8 +702,8 @@ curl_test_http()
 	# $3 - subst ip
 	# $4 - "detail" - detail info
 
-	local code loc hdrt="${HDRTEMP}_${!:-$$}.txt"
+	local code loc hdrt="${HDRTEMP}_${!:-$$}.txt" dom="$(tolower "$2")"
-	curl_probe $1 $2 $HTTP_PORT "$3" -SsD "$hdrt" -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT "http://$2" -o /dev/null 2>&1 || {
+	curl_probe $1 "$2" $HTTP_PORT "$3" -SsD "$hdrt" -A "$USER_AGENT" --max-time $CURL_MAX_TIME $CURL_OPT "http://$2" -o /dev/null 2>&1 || {
 		code=$?
 		rm -f "$hdrt"
 		return $code
@@ -715,8 +715,9 @@ curl_test_http()
 		code=$(hdrfile_http_code "$hdrt")
 		[ "$code" = 301 -o "$code" = 302 -o "$code" = 307 -o "$code" = 308 ] && {
 			loc=$(hdrfile_location "$hdrt")
-			echo "$loc" | grep -qE "^https?://.*$2(/|$)" ||
+			split_by_separator "$dom" / dom
-			echo "$loc" | grep -vqE '^https?://' || {
+			tolower "$loc" | grep -qE "^https?://.*$dom(/|$)" ||
+			tolower "$loc" | grep -vqE '^https?://' || {
 				echo suspicious redirection $code to : $loc
 				rm -f "$hdrt"
 				return 254
@@ -1079,7 +1080,7 @@ ws_curl_test()
 	# $2 - test function
 	# $3 - domain
 	# $4,$5,$6, ... - ws params
-	local code ws_start=$1 testf=$2 dom=$3
+	local code ws_start=$1 testf=$2 dom="$3"
 
 	[ "$SIMULATE" = 1 ] && {
 		n=$(random 0 99)
@@ -1095,7 +1096,7 @@ ws_curl_test()
 	shift
 	shift
 	$ws_start "$@"
-	curl_test $testf $dom
+	curl_test $testf "$dom"
 	code=$?
 	ws_kill
 	return $code
@@ -1108,7 +1109,7 @@ tpws_curl_test()
 	echo - $1 ipv$IPV $2 : tpws $3 $4 $5 $6 $7 $8 $9${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"}
 	local ALL_PROXY="socks5://127.0.0.1:$SOCKS_PORT"
 	ws_curl_test tpws_start "$@"${TPWS_EXTRA:+ $TPWS_EXTRA}${TPWS_EXTRA_1:+ "$TPWS_EXTRA_1"}${TPWS_EXTRA_2:+ "$TPWS_EXTRA_2"}${TPWS_EXTRA_3:+ "$TPWS_EXTRA_3"}${TPWS_EXTRA_4:+ "$TPWS_EXTRA_4"}${TPWS_EXTRA_5:+ "$TPWS_EXTRA_5"}${TPWS_EXTRA_6:+ "$TPWS_EXTRA_6"}${TPWS_EXTRA_7:+ "$TPWS_EXTRA_7"}${TPWS_EXTRA_8:+ "$TPWS_EXTRA_8"}${TPWS_EXTRA_9:+ "$TPWS_EXTRA_9"}
-	local testf=$1 dom=$2 strategy code=$?
+	local testf=$1 dom="$2" strategy code=$?
 	[ "$code" = 0 ] && {
 		shift; shift;
 		strategy="$@"
@@ -1122,11 +1123,11 @@ pktws_curl_test()
 	# $1 - test function
 	# $2 - domain
 	# $3,$4,$5, ... - nfqws/dvtws params
-	local testf=$1 dom=$2 strategy code
+	local testf=$1 dom="$2" strategy code
 
 	shift; shift;
 	echo - $testf ipv$IPV $dom : $PKTWSD ${WF:+$WF }${PKTWS_EXTRA_PRE:+$PKTWS_EXTRA_PRE }${PKTWS_EXTRA_PRE_1:+"$PKTWS_EXTRA_PRE_1" }${PKTWS_EXTRA_PRE_2:+"$PKTWS_EXTRA_PRE_2" }${PKTWS_EXTRA_PRE_3:+"$PKTWS_EXTRA_PRE_3" }${PKTWS_EXTRA_PRE_4:+"$PKTWS_EXTRA_PRE_4" }${PKTWS_EXTRA_PRE_5:+"$PKTWS_EXTRA_PRE_5" }${PKTWS_EXTRA_PRE_6:+"$PKTWS_EXTRA_PRE_6" }${PKTWS_EXTRA_PRE_7:+"$PKTWS_EXTRA_PRE_7" }${PKTWS_EXTRA_PRE_8:+"$PKTWS_EXTRA_PRE_8" }${PKTWS_EXTRA_PRE_9:+"$PKTWS_EXTRA_PRE_9" }$@${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"}
-	ws_curl_test pktws_start $testf $dom ${PKTWS_EXTRA_PRE:+$PKTWS_EXTRA_PRE }${PKTWS_EXTRA_PRE_1:+"$PKTWS_EXTRA_PRE_1" }${PKTWS_EXTRA_PRE_2:+"$PKTWS_EXTRA_PRE_2" }${PKTWS_EXTRA_PRE_3:+"$PKTWS_EXTRA_PRE_3" }${PKTWS_EXTRA_PRE_4:+"$PKTWS_EXTRA_PRE_4" }${PKTWS_EXTRA_PRE_5:+"$PKTWS_EXTRA_PRE_5" }${PKTWS_EXTRA_PRE_6:+"$PKTWS_EXTRA_PRE_6" }${PKTWS_EXTRA_PRE_7:+"$PKTWS_EXTRA_PRE_7" }${PKTWS_EXTRA_PRE_8:+"$PKTWS_EXTRA_PRE_8" }${PKTWS_EXTRA_PRE_9:+"$PKTWS_EXTRA_PRE_9" }"$@"${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"}
+	ws_curl_test pktws_start $testf "$dom" ${PKTWS_EXTRA_PRE:+$PKTWS_EXTRA_PRE }${PKTWS_EXTRA_PRE_1:+"$PKTWS_EXTRA_PRE_1" }${PKTWS_EXTRA_PRE_2:+"$PKTWS_EXTRA_PRE_2" }${PKTWS_EXTRA_PRE_3:+"$PKTWS_EXTRA_PRE_3" }${PKTWS_EXTRA_PRE_4:+"$PKTWS_EXTRA_PRE_4" }${PKTWS_EXTRA_PRE_5:+"$PKTWS_EXTRA_PRE_5" }${PKTWS_EXTRA_PRE_6:+"$PKTWS_EXTRA_PRE_6" }${PKTWS_EXTRA_PRE_7:+"$PKTWS_EXTRA_PRE_7" }${PKTWS_EXTRA_PRE_8:+"$PKTWS_EXTRA_PRE_8" }${PKTWS_EXTRA_PRE_9:+"$PKTWS_EXTRA_PRE_9" }"$@"${PKTWS_EXTRA:+ $PKTWS_EXTRA}${PKTWS_EXTRA_1:+ "$PKTWS_EXTRA_1"}${PKTWS_EXTRA_2:+ "$PKTWS_EXTRA_2"}${PKTWS_EXTRA_3:+ "$PKTWS_EXTRA_3"}${PKTWS_EXTRA_4:+ "$PKTWS_EXTRA_4"}${PKTWS_EXTRA_5:+ "$PKTWS_EXTRA_5"}${PKTWS_EXTRA_6:+ "$PKTWS_EXTRA_6"}${PKTWS_EXTRA_7:+ "$PKTWS_EXTRA_7"}${PKTWS_EXTRA_8:+ "$PKTWS_EXTRA_8"}${PKTWS_EXTRA_9:+ "$PKTWS_EXTRA_9"}
 
 	code=$?
 	[ "$code" = 0 ] && {
@@ -1152,11 +1153,11 @@ xxxws_curl_test_update()
 	# $2 - test function
 	# $3 - domain
 	# $4,$5,$6, ... - nfqws/dvtws params
-	local code xxxf=$1 testf=$2 dom=$3
+	local code xxxf=$1 testf=$2 dom="$3"
 	shift
 	shift
 	shift
-	$xxxf $testf $dom "$@"
+	$xxxf $testf "$dom" "$@"
 	code=$?
 	[ $code = 0 ] && strategy="${strategy:-$@}"
 	return $code
@@ -1317,13 +1318,13 @@ pktws_curl_test_update_vary()
 		[ "$fake" = "-" ] && continue
 		if [ -n "$splits" ]; then
 			for pos in $splits ; do
-				pktws_curl_test_update $testf $domain --dpi-desync=$desync "$@" --dpi-desync-split-pos=$pos $fake && {
+				pktws_curl_test_update $testf "$domain" --dpi-desync=$desync "$@" --dpi-desync-split-pos=$pos $fake && {
 					[ "$SCANLEVEL" = force ] || return 0
 					ret=0
 				}
 			done
 		else
-			pktws_curl_test_update $testf $domain --dpi-desync=$desync "$@" $fake && {
+			pktws_curl_test_update $testf "$domain" --dpi-desync=$desync "$@" $fake && {
 				[ "$SCANLEVEL" = force ] || return 0
 				ret=0
 			}
@@ -1572,7 +1573,7 @@ pktws_check_domain_http3_bypass_()
 
 	for fake in '' "--dpi-desync-fake-quic=$ZAPRET_BASE/files/fake/quic_initial_www_google_com.bin"; do
 		for rep in '' 2 5 10 20; do
-			pktws_curl_test_update $1 $2 --dpi-desync=fake ${fake:+$fake }${rep:+--dpi-desync-repeats=$rep} && [ "$SCANLEVEL" != force ] && {
+			pktws_curl_test_update $1 $2 --dpi-desync=fake ${fake:+"$fake" }${rep:+--dpi-desync-repeats=$rep} && [ "$SCANLEVEL" != force ] && {
 				[ "$SCANLEVEL" = quick ] && return
 				break
 			}
@@ -1698,7 +1699,7 @@ check_dpi_ip_block()
 	# $1 - test function
 	# $2 - domain
 
-	local blocked_dom=$2
+	local blocked_dom="$2"
 	local blocked_ip blocked_ips unblocked_ip
 
 	echo 
@@ -2188,7 +2189,7 @@ check_dns_()
 	if find_working_public_dns ; then
 		echo comparing system resolver to public DNS : $PUBDNS
 		for dom in $DNSCHECK_DOM; do
-			if check_dns_spoof $dom $PUBDNS ; then
+			if check_dns_spoof "$dom" $PUBDNS ; then
 				echo $dom : MISMATCH
 				echo -- system resolver :
 				cat "$DNSCHECK_DIG1"

common/base.sh

@@ -109,6 +109,10 @@ split_by_separator()
 	[ -n "$3" ] && eval $3="\$before"
 	[ -n "$4" ] && eval $4="\$after"
 }
+tolower()
+{
+	echo "$@" | tr 'A-Z' 'a-z'
+}
 
 dir_is_not_empty()
 {

common/dialog.sh

@@ -36,12 +36,11 @@ ask_list()
 	# $3 - (optional) default value
 	local M_DEFAULT
 	eval M_DEFAULT="\$$1"
-	local M_ALL=$M_DEFAULT
+	local M_DEFAULT_VAR="$M_DEFAULT"
-	local M=""
+	local M="" m
-	local m
+
-	
 	[ -n "$3" ] && { find_str_in_list "$M_DEFAULT" "$2" || M_DEFAULT="$3" ;}
-	
+
 	n=1
 	for m in $2; do
 		echo $n : $m
@@ -53,6 +52,6 @@ ask_list()
 	[ -z "$M" ] && M="$M_DEFAULT"
 	echo selected : $M
 	eval $1="\"$M\""
-	
+
-	[ "$M" != "$M_OLD" ]
+	[ "$M" != "$M_DEFAULT_VAR" ]
 }

common/installer.sh

@@ -256,7 +256,7 @@ check_system()
 
 get_free_space_mb()
 {
-    df -m $PWD | awk '/[0-9]%/{print $(NF-2)}'
+    df -m "$1" | awk '/[0-9]%/{print $(NF-2)}'
 }
 get_ram_kb()
 {
@@ -522,11 +522,6 @@ install_openwrt_firewall()
 {
 	echo \* installing firewall script $1
 	
-	[ -n "MODE" ] || {
-		echo should specify MODE in $ZAPRET_CONFIG
-		exitp 7
-	}
-	
 	echo "linking : $FW_SCRIPT_SRC => $OPENWRT_FW_INCLUDE"
 	ln -fs "$FW_SCRIPT_SRC" "$OPENWRT_FW_INCLUDE"
 	
@@ -832,7 +827,9 @@ select_fwtype()
 		echo WARNING ! if you need large lists it may be necessary to fall back to iptables+ipset firewall
 	}
 	echo select firewall type :
-	ask_list FWTYPE "iptables nftables" "$FWTYPE" && write_config_var FWTYPE
+	ask_list FWTYPE "iptables nftables" "$FWTYPE"
+	# always write config var to prevent auto discovery every time
+	write_config_var FWTYPE
 }
 
 dry_run_tpws_()

common/ipt.sh

@@ -43,7 +43,7 @@ ipt6_add_del()
 }
 ipt6a_add_del()
 {
-	on_off_function ipt6 ipt6a_del "$@"
+	on_off_function ipt6a ipt6_del "$@"
 }
 
 is_ipt_flow_offload_avail()

docs/changes.txt

@@ -591,3 +591,12 @@ blockcheck: fix tpws test regression
 
 nfqws,tpws: memleak fix
 mdig: --eagain, --eagain-delay
+
+73.8
+
+nfqws: fix breaking tcp if ts fooling is enabled but no timestamps present
+
+73.9
+
+blockcheck: fix detection of http redirection if domain/URI specified
+install_easy: fix writing of ask_list variables

docs/readme.en.md

@@ -207,8 +207,8 @@ nfqws takes the following parameters:
  --dpi-desync-fakedsplit-mod=mod[,mod]                     ; mods can be none,altorder=0|1|2|3 + 0|8|16
  --dpi-desync-hostfakesplit-midhost=marker+N|marker-N      ; additionally split real hostname at specified marker. must be within host..endhost or won't be splitted.
  --dpi-desync-hostfakesplit-mod=mod[,mod]                  ; can be none, host=<hostname>, altorder=0|1
- --dpi-desync-ipfrag-pos-tcp=<8..9216>                     ; ip frag position starting from the transport header. multiple of 8, default 8.
+ --dpi-desync-ipfrag-pos-tcp=<8..9216>                     ; ip frag position starting from the transport header. multiple of 8, default 32.
- --dpi-desync-ipfrag-pos-udp=<8..9216>                     ; ip frag position starting from the transport header. multiple of 8, default 32.
+ --dpi-desync-ipfrag-pos-udp=<8..9216>                     ; ip frag position starting from the transport header. multiple of 8, default 8.
  --dpi-desync-ts-increment=<int|0xHEX>                     ; ts fooling TSval signed increment. default -600000
  --dpi-desync-badseq-increment=<int|0xHEX>                 ; badseq fooling seq signed increment. default -10000
  --dpi-desync-badack-increment=<int|0xHEX>                 ; badseq fooling ackseq signed increment. default -66000

docs/readme.md

@@ -4,6 +4,12 @@ zapret является свободным и open source.
 Всякий, кто понуждает вас скачивать zapret только с его ресурса, требует удалить ссылки, видео, файлы, обосновывая эти требования авторскими правами, сам нарушает [лицензию](./LICENSE.txt).
 Однако, это не исключает [добровольные пожертвования](#поддержать-разработчика).
 
+# zapret2
+
+Эта версия zapret более не развивается и находится в режиме EOL (End-Of-Life). Никаких новых функций больше не будет. Только багфиксы.
+
+[Актуальная версия - zapret 2](https://github.com/bol-van/zapret2)
+
 # Multilanguage README
 
 [![en](https://img.shields.io/badge/lang-en-red.svg)](./readme.en.md)
@@ -231,6 +237,8 @@ dvtws, собираемый из тех же исходников (см. [док
 --dpi-desync-fakedsplit-mod=mod[,mod]                     ; может быть none, altorder=0|1|2|3 + 0|8|16
 --dpi-desync-hostfakesplit-midhost=marker+N|marker-N      ; маркер дополнительного разреза сегмента с оригинальным хостом. должен попадать в пределы хоста.
 --dpi-desync-hostfakesplit-mod=mod[,mod]                  ; может быть none, host=<hostname>, altorder=0|1
+--dpi-desync-ipfrag-pos-tcp=<8..9216>                     ; позиция ip фрагментации tcp, начиная с транспортного заголовка. должно быть кратно 8, по умолчанию - 32.
+--dpi-desync-ipfrag-pos-udp=<8..9216>                     ; позиция ip фрагментации udp, начиная с транспортного заголовка. должно быть кратно 8, по умолчанию - 8.
 --dpi-desync-ts-increment=<int|0xHEX>                     ; инкремент TSval для ts. по умолчанию -600000
 --dpi-desync-badseq-increment=<int|0xHEX>                 ; инкремент sequence number для badseq. по умолчанию -10000
 --dpi-desync-badack-increment=<int|0xHEX>                 ; инкремент ack sequence number для badseq. по умолчанию -66000

install_easy.sh

@@ -323,7 +323,7 @@ ask_config_tmpdir()
 		echo /tmp in openwrt is tmpfs. on low RAM systems there may be not enough RAM to store downloaded files
 		echo default tmpfs has size of 50% RAM
 		echo "RAM  : $(get_ram_mb) Mb"
-		echo "DISK : $(get_free_space_mb) Mb"
+		echo "DISK : $(get_free_space_mb "$EXEDIR/tmp") Mb"
 		echo select temp file location
 		[ -z "$TMPDIR" ] && TMPDIR=/tmp
 		ask_list TMPDIR "/tmp $EXEDIR/tmp" && {

nfq/darkmagic.c

@@ -192,7 +192,7 @@ static uint16_t tcpopt_len(bool sack, bool mss, uint32_t fooling, const uint32_t
 	if (sack) t+=2;
 	if (mss) t+=4;
 	if (fooling & FOOL_MD5SIG) t+=18;
-	if ((fooling & FOOL_TS) || timestamps) t+=10;
+	if (timestamps) t+=10;
 	if (scale_factor!=SCALE_NONE) t+=3;
 	return (t+3)&~3;
 }
@@ -928,6 +928,7 @@ void proto_skip_ipv6(uint8_t **data, size_t *len, uint8_t *proto_type, uint8_t *
 	if (proto_type) *proto_type = 0; // put error in advance
 
 	HeaderType = (*data)[6]; // NextHeader field
+	if (proto_type) *proto_type = HeaderType;
 	if (last_header_type) *last_header_type = (*data)+6;
 	*data += 40; *len -= 40; // skip ipv6 base header
 	while (*len > 0) // need at least one byte for NextHeader field

nfq/nfqws.c

@@ -1883,8 +1883,8 @@ static void exithelp(void)
 		" --dpi-desync-fakedsplit-mod=mod[,mod]\t\t\t; mods can be none,altorder=0|1|2|3 + 0|8|16\n"
 		" --dpi-desync-hostfakesplit-midhost=marker+N|marker-N\t; additionally split real hostname at specified marker. must be within host..endhost or won't be splitted.\n"
 		" --dpi-desync-hostfakesplit-mod=mod[,mod]\t\t; mods can be none,host=<hostname>,altorder=0|1\n"
-		" --dpi-desync-ipfrag-pos-tcp=<8..%u>\t\t\t; ip frag position starting from the transport header. multiple of 8, default %u.\n"
 		" --dpi-desync-ipfrag-pos-udp=<8..%u>\t\t\t; ip frag position starting from the transport header. multiple of 8, default %u.\n"
+		" --dpi-desync-ipfrag-pos-tcp=<8..%u>\t\t\t; ip frag position starting from the transport header. multiple of 8, default %u.\n"
 		" --dpi-desync-ts-increment=<int|0xHEX>\t\t\t; ts fooling TSval signed increment. default %d\n"
 		" --dpi-desync-badseq-increment=<int|0xHEX>\t\t; badseq fooling seq signed increment. default %d\n"
 		" --dpi-desync-badack-increment=<int|0xHEX>\t\t; badseq fooling ackseq signed increment. default %d\n"

nfq/protocol.c

@@ -615,24 +615,18 @@ bool IsQUICCryptoHello(const uint8_t *data, size_t len, size_t *hello_offset, si
 uint8_t QUICDraftVersion(uint32_t version)
 {
 	/* IETF Draft versions */
-	if ((version >> 8) == 0xff0000) {
+	if ((version >> 8) == 0xff0000)
 		return (uint8_t)version;
-	}
 	/* Facebook mvfst, based on draft -22. */
-	if (version == 0xfaceb001) {
+	if (version == 0xfaceb001)
 		return 22;
-	}
 	/* Facebook mvfst, based on draft -27. */
-	if (version == 0xfaceb002 || version == 0xfaceb00e) {
+	if (version == 0xfaceb002 || version == 0xfaceb00e)
 		return 27;
-	}
 	/* GQUIC Q050, T050 and T051: they are not really based on any drafts,
 	 * but we must return a sensible value */
-	if (version == 0x51303530 ||
+	if (version == 0x51303530 || version == 0x54303530 || version == 0x54303531)
-		version == 0x54303530 ||
-		version == 0x54303531) {
 		return 27;
-	}
 	/* https://tools.ietf.org/html/draft-ietf-quic-transport-32#section-15
 	   "Versions that follow the pattern 0x?a?a?a?a are reserved for use in
 	   forcing version negotiation to be exercised"
@@ -640,19 +634,17 @@ uint8_t QUICDraftVersion(uint32_t version)
 	   used to select a proper salt (which depends on the version itself), but
 	   we don't have a real version here! Let's hope that we need to handle
 	   only latest drafts... */
-	if ((version & 0x0F0F0F0F) == 0x0a0a0a0a) {
+	if ((version & 0x0F0F0F0F) == 0x0a0a0a0a)
 		return 29;
-	}
 	/* QUIC (final?) constants for v1 are defined in draft-33, but draft-34 is the
 	   final draft version */
-	if (version == 0x00000001) {
+	if (version == 0x00000001)
 		return 34;
-	}
 	/* QUIC Version 2 */
 	/* TODO: for the time being use 100 as a number for V2 and let see how v2 drafts evolve */
-	if (version == 0x709A50C4) {
+	if ((version == 0x709A50C4) || (version == 0x6b3343cf))
 		return 100;
-	}
+
 	return 0;
 }
 
@@ -662,7 +654,7 @@ static bool is_quic_draft_max(uint32_t draft_version, uint8_t max_version)
 }
 static bool is_quic_v2(uint32_t version)
 {
-    return version == 0x6b3343cf;
+    return (version == 0x709A50C4) || (version == 0x6b3343cf);
 }
 
 static bool quic_hkdf_expand_label(const uint8_t *secret, uint8_t secret_len, const char *label, uint8_t *out, size_t out_len)
@@ -811,6 +803,7 @@ bool QUICDecryptInitial(const uint8_t *data, size_t data_len, uint8_t *clean, si
 	if ((pn_offset + tvb_get_size(data[pn_offset])) >= data_len) return false;
 	pn_offset += tvb_get_varint(data + pn_offset, &token_len);
 	pn_offset += token_len;
+	if (pn_offset >= data_len) return false;
 	if ((pn_offset + tvb_get_size(data[pn_offset])) >= data_len) return false;
 	pn_offset += tvb_get_varint(data + pn_offset, &payload_len);
 	if (payload_len<20 || (pn_offset + payload_len)>data_len) return false;