go-header icon indicating copy to clipboard operation
go-header copied to clipboard
verified publisher icon celestiaorg

p2p: session.doRequest should define what happens if the response headers were more than the requested amount else encounter an integer overflow and a DOS vector

Open odeke-em opened this issue 1 year ago • 1 comments

https://github.com/celestiaorg/go-header/blob/18f0eb1c5d3aeab6476123da0dad57e82c067984/p2p/session.go#L232

looks very trusting hence suspicious because if the response headers were even off by just 1 extra, the value of remaining headers will overflow to uint64(-1) which is a very very large number. I suggest that we add a check to avoid this attack vector that could cause prepareRequests to consume large amounts of memory.

Kindly cc-ing @Wondertan @walldiss @liamsi

odeke-em avatar Oct 22 '24 17:10 odeke-em

Hey, thanks for catching that!

I took a closer look, and here's what's happening in the code: helpers.go link

var totalRespLn uint64
for i := 0; i < int(req.Amount); i++ {
    resp := new(p2p_pb.HeaderResponse)
    respLn, readErr := serde.Read(stream, resp)
    if readErr != nil {
        err = readErr
        break
    }

    totalRespLn += uint64(respLn)
    headers = append(headers, resp)
}

The condition len(h) > req.Amount shouldn't happen right now, but you're right—it could be error-prone. Adding an extra sanity check would be a good idea to prevent any potential issues

walldiss avatar Oct 29 '24 11:10 walldiss