From 9514e988d817b2909b4acb266259fca6f241514c Mon Sep 17 00:00:00 2001
From: Miny <261860441+OneMiny@users.noreply.github.com>
Date: Tue, 3 Mar 2026 12:08:02 +0000
Subject: [PATCH] VLESS Encryption: Check 17~17000 -> Check 17~16640 (#5698)

https://github.com/XTLS/Xray-core/pull/5698#issuecomment-3938558695
---
 proxy/vless/encryption/common.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/proxy/vless/encryption/common.go b/proxy/vless/encryption/common.go
index 65959c14..a715a2c3 100644
--- a/proxy/vless/encryption/common.go
+++ b/proxy/vless/encryption/common.go
@@ -107,7 +107,7 @@ func (c *CommonConn) Read(b []byte) (int, error) {
 	if _, err := io.ReadFull(c.Conn, peerHeader[:]); err != nil {
 		return 0, err
 	}
-	l, err := DecodeHeader(peerHeader[:]) // l: 17~17000
+	l, err := DecodeHeader(peerHeader[:]) // l: 17~16640
 	if err != nil {
 		if c.Client != nil && strings.Contains(err.Error(), "invalid header: ") { // client's 0-RTT
 			c.Client.RWLock.Lock()
@@ -214,7 +214,7 @@ func DecodeHeader(h []byte) (l int, err error) {
 	if h[0] != 23 || h[1] != 3 || h[2] != 3 {
 		l = 0
 	}
-	if l < 17 || l > 17000 { // TODO: TLSv1.3 max length
+	if l < 17 || l > 16640 { // TLS 1.3 max record: 16384 + 256 (RFC 8446 §5.2)
 		err = errors.New("invalid header: " + fmt.Sprintf("%v", h[:5])) // DO NOT CHANGE: relied by client's Read()
 	}
 	return