Security/RLPx: Fix crash when peer sends out of bounds message id #438
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes nimbus-eth1#767.
Crashes occur when certain invalid RLPx messages are received from a peer. Specifically,
msgId
out of range. Because any peer can easily trigger this crash, we'd consider it a DOS vulnerability if Nimbus-eth1 was in general use.We noticed when syncing to Goerli, there were some rare crashes with this exception. It turned out one peer with custom code, perhaps malfunctioning, was sending these messages if we were unlucky enough to connect to it.
invokeThunk
is called fromdispatchMessages
and checks the range ofmsgId
. It correctly recognise that it's out of range, raises and exception and produces a message. Job done.Except the code in
dispatchMessage
treats all that as a warning instead of error, and continues to process the message. A bit lower down,msgId
is used again without a range check.The trivial fix is to check array bounds before access.
--
ps. Here's the stack trace ("reraised" sections hidden):