keytrans: Validate tree_size and pos before tree math

Co-authored-by: Steve Weis <sweis@anthropic.com>

Author: moiseev-signal

rust/keytrans/src/implicit.rs

@@ -163,4 +163,26 @@ mod test {
             let _ = root(start, n);
         });
     }
+
+    // These functions require `start < n`. Callers in `verify.rs` validate
+    // `tree_size` and `pos` against `MAX_TREE_SIZE` and each other before
+    // reaching this module.
+
+    #[test]
+    #[should_panic(expected = "leaf node has no children")]
+    fn precondition_frontier_panics_on_zero_n() {
+        let _ = frontier(0, 0);
+    }
+
+    #[test]
+    #[should_panic(expected = "leaf node has no children")]
+    fn precondition_root_panics_when_start_equals_n() {
+        let _ = root(1, 1);
+    }
+
+    #[test]
+    #[should_panic(expected = "leaf node has no children")]
+    fn precondition_root_panics_when_start_exceeds_n() {
+        let _ = root(10, 5);
+    }
 }

rust/keytrans/src/log.rs

@@ -206,6 +206,29 @@ mod math {
             assert_eq!(batch_copath(&[0, 2, 3, 4], 8), vec![2, 10, 13]);
             assert_eq!(batch_copath(&[0, 2, 3], 8), vec![2, 11]);
         }
+
+        // `node_width(n) = 2*(n-1)+1` overflows for `n > 2^63`. Callers in
+        // `verify.rs` bound `tree_size` by `MAX_TREE_SIZE` (`2^62`) before
+        // reaching this module.
+
+        #[test]
+        #[should_panic(expected = "attempt to multiply with overflow")]
+        fn precondition_node_width_panics_above_2_63() {
+            let _ = node_width((1u64 << 63) + 1);
+        }
+
+        #[test]
+        #[should_panic(expected = "attempt to multiply with overflow")]
+        fn precondition_root_panics_above_2_63() {
+            let _ = root((1u64 << 63) + 1);
+        }
+
+        #[test]
+        fn node_width_safe_at_max_tree_size() {
+            // MAX_TREE_SIZE = 2^62; node_width(2^62) = 2^63 - 1 fits in u64.
+            let _ = node_width(1u64 << 62);
+            let _ = root(1u64 << 62);
+        }
     }
 }
 

rust/keytrans/src/verify.rs

@@ -38,6 +38,13 @@ const ALLOWED_AUDITOR_TIMESTAMP_RANGE: &TimestampRange = &TimestampRange {
 };
 const ENTRIES_MAX_BEHIND: u64 = 10_000_000;
 
+/// Upper bound on `tree_size` accepted from the server.
+///
+/// Tree math in [`crate::implicit`] and [`crate::log`] performs arithmetic
+/// like `2*(n-1)+1` that would overflow for `n > 2^63`. Bounding `tree_size`
+/// at `2^62` keeps all such arithmetic safely within `u64`.
+const MAX_TREE_SIZE: u64 = 1u64 << 62;
+
 #[derive(Clone, Debug, displaydoc::Display)]
 pub enum Error {
     /// Required field '{0}' not found
@@ -466,6 +473,19 @@ fn verify_search_internal(
     };
     let search_proof = get_proto_field(&search, "search")?;
 
+    // Validate server-controlled tree parameters before any tree math, which
+    // would otherwise panic on out-of-range values.
+    if tree_size == 0 || tree_size > MAX_TREE_SIZE {
+        return Err(Error::VerificationFailed(
+            "tree_size out of range".to_string(),
+        ));
+    }
+    if search_proof.pos >= tree_size {
+        return Err(Error::VerificationFailed(
+            "search proof pos must be less than tree_size".to_string(),
+        ));
+    }
+
     let guide = ProofGuide::new(version, search_proof.pos, tree_size);
 
     let mut i = 0;
@@ -601,6 +621,14 @@ pub fn verify_monitor<'a>(
     let tree_head = get_proto_field(&full_tree_head.tree_head, "tree_head")?;
     let tree_size = tree_head.tree_size;
 
+    // Validate server-controlled tree_size before any tree math, which would
+    // otherwise panic on out-of-range values.
+    if tree_size == 0 || tree_size > MAX_TREE_SIZE {
+        return Err(Error::VerificationFailed(
+            "tree_size out of range".to_string(),
+        ));
+    }
+
     let MonitorContext {
         last_tree_head,
         last_distinguished_tree_head,