fix(network): reject duplicate HELLO instead of panicking

peilun-conflux · claude · peilun-conflux · commit 7402cabe2457 · 2026-06-01T13:29:27.000+08:00
A peer that completed HELLO and sent a second one re-entered `update_ingress_node_id` with its own token already in `node_id_index`, hitting a `panic!` — a remotely-triggerable node panic from the simultaneous-dial tie-break. Reject a second HELLO on an already-ready session with `BadProtocol` (disconnecting it like any protocol violation), and downgrade the now-unreachable index branch to a soft error. Surfaced via #3510. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
diff --git a/crates/network/src/session.rs b/crates/network/src/session.rs
@@ -309,6 +309,13 @@ impl Session {
         match packet.id {
             PACKET_HELLO => {
                 debug!("Read HELLO in session {:?}", self);
+                // A second HELLO would re-enter the ingress tie-break with this
+                // token already indexed (a remotely-triggerable panic). Reject
+                // it as a protocol violation.
+                if self.is_ready() {
+                    debug!("Duplicate HELLO on ready session {:?}", self);
+                    return Err(Error::BadProtocol);
+                }
                 self.metadata.peer_header_version = packet.header_version;
 
                 // Validate before the tie-break touches the index, so a failed
diff --git a/crates/network/src/session_manager.rs b/crates/network/src/session_manager.rs
@@ -383,7 +383,13 @@ impl SessionManager {
 
         if let Some(existing) = node_id_index.get(node_id).cloned() {
             if existing.token == idx {
-                panic!("The same token already exists for the same node!!!");
+                // Should be unreachable: the duplicate-HELLO guard in
+                // `Session::read_packet` rejects a second HELLO before this.
+                // Return a soft error instead of panicking the node.
+                return Err(format!(
+                    "node id index already maps node {:?} to this session's own token {}",
+                    node_id, idx
+                ));
             }
             let outcome = simultaneous_dial_outcome(
                 &self.own_node_id,
