Impact
A malicious peer acting as a state-sync source can crash a syncing node with a crafted TrieChunk whose proof contains a TrieNodeChild whose suffix, when concatenated with the parent key via KeyNibbles::Add, exceeds the fixed 63-byte backing array. Add (primitives/src/key_nibbles.rs:332 / :341) indexes bytes[self.bytes_len()..self.bytes_len() + other.bytes_len()] with no combined-length check, causing an out-of-bounds slice panic (both the even- and odd-length branches).
KeyNibbles deserialization validates only the individual length <= 126, not the combined parent + suffix length. The panic occurs at put_chunk → child.key() → is_stump() → +, i.e. before proof.verify(), so no valid proof is required. As with the related child_index issue, exploitation requires being the victim's sync peer during state sync, and the resulting crash is transient (the node restarts and re-syncs).
Affected: core-rs-albatross <= 1.5.1 (nimiq-primitives).
Patches
Fixed in 1.6.0 via #3790 (commit eabfc3e2), which guards key-nibble concatenation against exceeding the maximum length instead of indexing out of bounds.
Workarounds
None other than syncing only from trusted peers. Upgrade to 1.6.0.
References
#3790
Impact
A malicious peer acting as a state-sync source can crash a syncing node with a crafted
TrieChunkwhose proof contains aTrieNodeChildwhosesuffix, when concatenated with the parent key viaKeyNibbles::Add, exceeds the fixed 63-byte backing array.Add(primitives/src/key_nibbles.rs:332/:341) indexesbytes[self.bytes_len()..self.bytes_len() + other.bytes_len()]with no combined-length check, causing an out-of-bounds slice panic (both the even- and odd-length branches).KeyNibblesdeserialization validates only the individuallength <= 126, not the combined parent + suffix length. The panic occurs atput_chunk→child.key()→is_stump()→+, i.e. beforeproof.verify(), so no valid proof is required. As with the relatedchild_indexissue, exploitation requires being the victim's sync peer during state sync, and the resulting crash is transient (the node restarts and re-syncs).Affected: core-rs-albatross <= 1.5.1 (
nimiq-primitives).Patches
Fixed in 1.6.0 via #3790 (commit
eabfc3e2), which guards key-nibble concatenation against exceeding the maximum length instead of indexing out of bounds.Workarounds
None other than syncing only from trusted peers. Upgrade to 1.6.0.
References
#3790