Skip to content

fix: adding length validation on deserialization #19415

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
PhilWindle merged 1 commit into from
Jan 13, 2026
Merged

fix: adding length validation on deserialization #19415

PhilWindle merged 1 commit into from
Jan 13, 2026

Conversation

@mrzeszutko
Copy link
Contributor

@mrzeszutko mrzeszutko commented Jan 8, 2026
edited
Loading

Summary

Add semantic validation to P2P message deserialization to reject protocol-violating array/string lengths. This prevents DoS attacks via maliciously crafted messages that specify enormous sizes, which could cause memory exhaustion before the buffer range check catches the issue.

Changes

Foundation Layer

  • BufferReader: Added optional maxSize parameter to readVector(), readBuffer(), and readString() methods. This is a non-breaking change - all 161+ existing calls continue to work unchanged.

Constants Organization

  • stdlib/deserialization: New module with shared constants:

    • MAX_TXS_PER_BLOCK = 2 ** 16 (65536)
    • MAX_COMMITTEE_SIZE = 2,048 (theoretical max from bitmap design: 256 bytes × 8 bits)
    • MAX_BLOCKS_PER_CHECKPOINT = 72
    • MAX_TX_EFFECTS_PER_BODY = BLOBS_PER_CHECKPOINT * FIELDS_PER_BLOB
    • MAX_BLOCK_HASH_STRING_LENGTH = 128

  • p2p/reqresp/constants: P2P-specific constants:

    • MAX_VERSION_STRING_LENGTH = 64
    • MAX_BLOCK_HASH_STRING_LENGTH = 128
    • Re-exports MAX_TXS_PER_BLOCK from stdlib

Bounds Checking Added To

File Validation Added
BlockProposal.fromBuffer txHashes, txs arrays
SignedTxs.fromBuffer txs array
CheckpointProposal.fromBuffer txHashes array
Checkpoint.fromBuffer blocks vector
PublishedCheckpoint.fromBuffer attestations, l1BlockHash
Body.fromBuffer txEffects vector
CheckpointedL2Block.fromBuffer attestations, l1BlockHash
PublishedL2Block.fromBuffer attestations, l1BlockHash
deserializeValidateBlockResult committee, attestors, attestations, reason string
StatusMessage.fromBuffer version string, block hash
BitVector.fromBuffer length field

Tests

  • Added 9 new tests for BufferReader maxSize bounds checking
  • Added 2 tests for BitVector bounds validation

Fixes A-273

@mrzeszutko mrzeszutko changed the title Adding lenght validation on deserialization fix: adding lenght validation on deserialization Jan 8, 2026
@mrzeszutko mrzeszutko force-pushed the feature/bitvector-semantic-validation branch from c73a4ea to b6cc9cb Compare January 8, 2026 14:08
@PhilWindle PhilWindle changed the title fix: adding lenght validation on deserialization fix: adding length validation on deserialization Jan 8, 2026
PhilWindle
PhilWindle reviewed Jan 9, 2026
View reviewed changes
Copy link
Collaborator

@PhilWindle PhilWindle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Just one thing we need to check.

yarn-project/p2p/src/services/reqresp/protocols/status.ts
const reader = BufferReader.asReader(buffer);
return new StatusMessage(
reader.readString(), // compressedComponentsVersion
reader.readString(MAX_VERSION_STRING_LENGTH), // compressedComponentsVersion
Copy link
Collaborator

@PhilWindle PhilWindle Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we just check this? This version isn't a semver (i.e. 1.2.3-alpha.123). It's our compressed components version which incorporates a number of items. Can you verify that MAX_VERSION_STRING_LENGTH is sufficient for this?

Copy link
Collaborator

@PhilWindle PhilWindle Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here is an example:

p2p:7:libp2p_service:libp2p_service Started libp2p service with protocol version 00-31337-00000000-0-14d6d44e-01eff751

Copy link
Collaborator

@PhilWindle PhilWindle Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should be fine as MAX_VERSION_STRING_LENGTH is 64, but would like to check.

Copy link
Contributor Author

@mrzeszutko mrzeszutko Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@PhilWindle 64 seems to be enough for MAX_VERSION_STRING_LENGTH looking at how the version string is created:

  return [
    '00',
    versions.l1ChainId,
    versions.l1RollupAddress.toString().slice(2, 10),
    versions.rollupVersion,
    versions.l2ProtocolContractsHash.toString().slice(2, 10),
    versions.l2CircuitsVkTreeRoot.toString().slice(2, 10),
  ].join('-');

64 seems to be 2x as long as expected length

@PhilWindle PhilWindle added this pull request to the merge queue Jan 12, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jan 12, 2026
@PhilWindle PhilWindle added this pull request to the merge queue Jan 12, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jan 12, 2026
@PhilWindle PhilWindle added this pull request to the merge queue Jan 12, 2026
@AztecBot
Copy link
Collaborator

AztecBot commented Jan 12, 2026
edited
Loading

Flakey Tests

🤖 says: This CI run detected 2 tests that failed, but were tolerated due to a .test_patterns.yml entry.

\033FLAKED\033 (8;;http://ci.aztec-labs.com/8986701107c83c15�8986701107c83c158;;�): yarn-project/end-to-end/scripts/run_test.sh web3signer src/composed/web3signer/e2e_multi_validator_node_key_store.test.ts (37s) (code: 1) (\033PhilWindle\033: fix: adding length validation on deserialization (#19415))
\033FLAKED\033 (8;;http://ci.aztec-labs.com/9cc31d8acd29cc23�9cc31d8acd29cc238;;�):  yarn-project/end-to-end/scripts/run_test.sh simple src/e2e_p2p/gossip_network.test.ts (451s) (code: 1) group:e2e-p2p-epoch-flakes (\033PhilWindle\033: fix: adding length validation on deserialization (#19415))

@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jan 12, 2026
@PhilWindle PhilWindle enabled auto-merge January 12, 2026 14:18
@AztecBot AztecBot force-pushed the feature/bitvector-semantic-validation branch from 4e795d8 to 3e72988 Compare January 12, 2026 14:30
@PhilWindle PhilWindle added this pull request to the merge queue Jan 12, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to a conflict with the base branch Jan 12, 2026
@mrzeszutko mrzeszutko force-pushed the feature/bitvector-semantic-validation branch from 3e72988 to 11f73b1 Compare January 13, 2026 10:43
@mrzeszutko mrzeszutko force-pushed the feature/bitvector-semantic-validation branch from 11f73b1 to 994b779 Compare January 13, 2026 11:04
@PhilWindle PhilWindle enabled auto-merge January 13, 2026 11:21
@PhilWindle PhilWindle added this pull request to the merge queue Jan 13, 2026
Merged via the queue into next with commit 9453faa Jan 13, 2026
16 checks passed
@PhilWindle PhilWindle deleted the feature/bitvector-semantic-validation branch January 13, 2026 11:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PhilWindle PhilWindle PhilWindle approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mrzeszutko @AztecBot @PhilWindle