zolfa
/
tendermint
1
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 221 Wiki Activity
Browse Source

p2p/conn: check for channel id overflow before processing receive msg (backport #6522) (#6528) 

* p2p/conn: check for channel id overflow before processing receive msg (#6522)

Per tendermint spec, each Channel has a globally unique byte id, which
is mapped to uint8 in Go. However, the proto PacketMsg.ChannelID field
is declared as int32, and when receive the packet, we cast it to a byte
without checking for possible overflow. That leads to a malform packet
with invalid channel id is sent successfully.

To fix it, we just add a check for possible overflow, and return invalid
channel id error.

Fixed #6521

(cherry picked from commit 1f46a4c90e)
pull/6581/head
mergify[bot] 3 years ago
committed by GitHub
parent
c376b44f1c
commit
358b1f23c0
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 49 additions and 4 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +5
    -4
      p2p/conn/connection.go
  2. +44
    -0
      p2p/conn/connection_test.go

+ 5
- 4
p2p/conn/connection.go View File

@ -624,8 +624,9 @@ FOR_LOOP:
// never block
}
case *tmp2p.Packet_PacketMsg:
channel, ok := c.channelsIdx[byte(pkt.PacketMsg.ChannelID)]
if !ok || channel == nil {
channelID := byte(pkt.PacketMsg.ChannelID)
channel, ok := c.channelsIdx[channelID]
if pkt.PacketMsg.ChannelID < 0 || pkt.PacketMsg.ChannelID > math.MaxUint8 || !ok || channel == nil {
err := fmt.Errorf("unknown channel %X", pkt.PacketMsg.ChannelID)
c.Logger.Debug("Connection failed @ recvRoutine", "conn", c, "err", err)
c.stopForError(err)
@ -641,9 +642,9 @@ FOR_LOOP:
break FOR_LOOP
}
if msgBytes != nil {
c.Logger.Debug("Received bytes", "chID", pkt.PacketMsg.ChannelID, "msgBytes", fmt.Sprintf("%X", msgBytes))
c.Logger.Debug("Received bytes", "chID", channelID, "msgBytes", msgBytes)
// NOTE: This means the reactor.Receive runs in the same thread as the p2p recv routine
c.onReceive(byte(pkt.PacketMsg.ChannelID), msgBytes)
c.onReceive(channelID, msgBytes)
}
default:
err := fmt.Errorf("unknown message type %v", reflect.TypeOf(packet))


+ 44
- 0
p2p/conn/connection_test.go View File

@ -587,3 +587,47 @@ func TestConnVectors(t *testing.T) {
require.Equal(t, tc.expBytes, hex.EncodeToString(bz), tc.testName)
}
}
func TestMConnectionChannelOverflow(t *testing.T) {
chOnErr := make(chan struct{})
chOnRcv := make(chan struct{})
mconnClient, mconnServer := newClientAndServerConnsForReadErrors(t, chOnErr)
t.Cleanup(stopAll(t, mconnClient, mconnServer))
mconnServer.onReceive = func(chID byte, msgBytes []byte) {
chOnRcv <- struct{}{}
}
client := mconnClient.conn
protoWriter := protoio.NewDelimitedWriter(client)
var packet = tmp2p.PacketMsg{
ChannelID: 0x01,
EOF: true,
Data: []byte(`42`),
}
_, err := protoWriter.WriteMsg(mustWrapPacket(&packet))
require.NoError(t, err)
assert.True(t, expectSend(chOnRcv))
packet.ChannelID = int32(1025)
_, err = protoWriter.WriteMsg(mustWrapPacket(&packet))
require.NoError(t, err)
assert.False(t, expectSend(chOnRcv))
}
type stopper interface {
Stop() error
}
func stopAll(t *testing.T, stoppers ...stopper) func() {
return func() {
for _, s := range stoppers {
if err := s.Stop(); err != nil {
t.Log(err)
}
}
}
}

Write Preview
Loading…
Cancel
Save