fix(session): reject cmdUPD in protocol version 1

xtaci · xtaci · commit c8a401fdb45d · 2026-01-24T22:29:03.000+08:00
cmdUPD is a v2-only command used for flow control window updates.
Previously, recvLoop would accept and process cmdUPD even when
the session was configured for protocol version 1, which violates
the protocol specification.

This change adds a version check before processing cmdUPD. If the
session is not running v2, it now correctly returns ErrInvalidProtocol
and terminates the receive loop.
diff --git a/session.go b/session.go
@@ -468,7 +468,12 @@ func (s *Session) recvLoop() {
 			}
 			s.streamLock.Unlock()
 
-		case cmdUPD: // a window update signal
+		case cmdUPD: // a window update signal (v2 only)
+			if s.config.Version != 2 {
+				s.notifyProtoError(ErrInvalidProtocol)
+				return
+			}
+
 			_, err := io.ReadFull(s.conn, updHdr[:])
 			if err != nil {
 				s.notifyReadError(err)
