HomePhabricator

fix a deserialization overflow edge case

Description

fix a deserialization overflow edge case

Summary:

A specially-constructed BlockTransactionsRequest can cause offset to
wrap in deserialization. In the current code, there is not any way this
could be dangerous; but disallowing it reduces the potential for future
surprises.

Backport of core PR14685.

The bug this PR is fixing doesn't apply directly to our code, since we
are already using 32 bit indexes (renames indices) since D1146 and the
deserialization size is limited to 0x02000000 by the MAX_SIZE constant
(see https://bitcoin.org/en/developer-reference#message-headers), so
MAX_SIZE < max(uint32_t) is the limiting factor for us.
In the meantime the overflow issue will occur if the MAX_SIZE constant
is raised above max(uint32_t).

This diff is also adapted to test the BlockTransactionRequest
deserialization against MAX_SIZE and make sure the overflow edge-case
is un der control should the constant get raised. Static asserts will
cause the build to fail if the tests assumptions are no longer valid.

Test Plan:

ninja all check
./test/functional/test_runner.py abc-p2p-compactblocks

Reviewers: #bitcoin_abc, deadalnix, jasonbcox

Reviewed By: #bitcoin_abc, jasonbcox

Subscribers: jasonbcox

Differential Revision: https://reviews.bitcoinabc.org/D5049

Details

Provenance
Kaz Wesley <kaz@lambdaverse.org>Authored on Nov 13 2018, 20:40
FabienCommitted on Feb 3 2020, 16:20
jasonbcoxPushed on Feb 3 2020, 18:07
Reviewer
Restricted Project
Differential Revision
D5049: fix a deserialization overflow edge case
Parents
rSTAGINGe7ddc8a7d2c9: Prevent wrapping in setexcessiveblock RPC
Branches
Unknown
Tags
Unknown
References
tag: phabricator/base/15971