From 2394972131e618d5996d68f8fe79f7b206cd243f Mon Sep 17 00:00:00 2001
From: Viktor Liu <viktor@netbird.io>
Date: Mon, 4 May 2026 13:40:00 +0200
Subject: [PATCH] Reject out-of-range UDP port before narrowing to uint16 in
 fakeAddress

---
 client/iface/wgproxy/bind/proxy.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/client/iface/wgproxy/bind/proxy.go b/client/iface/wgproxy/bind/proxy.go
index 5bf670e07..be6f3806e 100644
--- a/client/iface/wgproxy/bind/proxy.go
+++ b/client/iface/wgproxy/bind/proxy.go
@@ -203,6 +203,9 @@ func fakeAddress(peerAddress *net.UDPAddr) (*netip.AddrPort, error) {
 	if peerAddress == nil {
 		return nil, fmt.Errorf("nil peer address")
 	}
+	if peerAddress.Port < 0 || peerAddress.Port > 65535 {
+		return nil, fmt.Errorf("invalid UDP port: %d", peerAddress.Port)
+	}
 
 	addr, ok := netip.AddrFromSlice(peerAddress.IP)
 	if !ok {