core/vm: cap CometBFT light client validator count to prevent DoS

MatusKysel · MatusKysel · commit cd4242d0305a · 2026-02-24T14:27:51.000+01:00
diff --git a/core/vm/lightclient/v2/lightclient.go b/core/vm/lightclient/v2/lightclient.go
@@ -143,6 +143,9 @@ func DecodeConsensusState(input []byte) (ConsensusState, error) {
 	if inputLen <= minimumLength || (inputLen-minimumLength)%singleValidatorBytesLength != 0 {
 		return ConsensusState{}, fmt.Errorf("expected input size %d+%d*N, actual input size: %d", minimumLength, singleValidatorBytesLength, inputLen)
 	}
+	if inputLen > maxConsensusStateLength {
+		return ConsensusState{}, fmt.Errorf("consensus state too large: %d bytes exceeds maximum %d (max 99 validators)", inputLen, maxConsensusStateLength)
+	}
 
 	pos := uint64(0)
 	chainID := string(bytes.Trim(input[pos:pos+chainIDLength], "\x00"))
@@ -207,6 +210,10 @@ func DecodeLightBlockValidationInput(input []byte) (*ConsensusState, *types.Ligh
 		return nil, nil, fmt.Errorf("integer overflow, csLen: %d", csLen)
 	}
 
+	if csLen > maxConsensusStateLength {
+		return nil, nil, fmt.Errorf("consensus state length %d exceeds maximum %d", csLen, maxConsensusStateLength)
+	}
+
 	if uint64(len(input)) <= consensusStateLengthBytesLength+csLen {
 		return nil, nil, fmt.Errorf("expected payload size %d, actual size: %d", consensusStateLengthBytesLength+csLen, len(input))
 	}

Original file line number	Diff line number	Diff line change
`@@ -143,6 +143,9 @@ func DecodeConsensusState(input []byte) (ConsensusState, error) {`
`143`	`143`	`if inputLen <= minimumLength \|\| (inputLen-minimumLength)%singleValidatorBytesLength != 0 {`
`144`	`144`	`return ConsensusState{}, fmt.Errorf("expected input size %d+%d*N, actual input size: %d", minimumLength, singleValidatorBytesLength, inputLen)`
`145`	`145`	`}`
	`146`	`+ if inputLen > maxConsensusStateLength {`
	`147`	`+ return ConsensusState{}, fmt.Errorf("consensus state too large: %d bytes exceeds maximum %d (max 99 validators)", inputLen, maxConsensusStateLength)`
	`148`	`+ }`
`146`	`149`
`147`	`150`	`pos := uint64(0)`
`148`	`151`	`chainID := string(bytes.Trim(input[pos:pos+chainIDLength], "\x00"))`
`@@ -207,6 +210,10 @@ func DecodeLightBlockValidationInput(input []byte) (ConsensusState, types.Ligh`
`207`	`210`	`return nil, nil, fmt.Errorf("integer overflow, csLen: %d", csLen)`
`208`	`211`	`}`
`209`	`212`
	`213`	`+ if csLen > maxConsensusStateLength {`
	`214`	`+ return nil, nil, fmt.Errorf("consensus state length %d exceeds maximum %d", csLen, maxConsensusStateLength)`
	`215`	`+ }`
	`216`	`+`
`210`	`217`	`if uint64(len(input)) <= consensusStateLengthBytesLength+csLen {`
`211`	`218`	`return nil, nil, fmt.Errorf("expected payload size %d, actual size: %d", consensusStateLengthBytesLength+csLen, len(input))`
`212`	`219`	`}`