program: safe deserialize config keys from state #18
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
buffalojoec
force-pushed
the
safe-deserialize-config-keys-state
branch
2 times, most recently
from
e2b4b9f to
ec19760
Compare
buffalojoec
force-pushed
the
safe-deserialize-config-keys-state
branch
from
ec19760 to
db53895
Compare
joncinque
approved these changes
Nov 4, 2024
Contributor
joncinque
left a comment
joncinque
left a comment
There was a problem hiding this comment.
Makes sense -- nice catch and fix!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
Working with the Firedancer conformance suite revealed another relatively inconsequential control flow mismatch between the BPF version of the Config program and its original builtin version.
Similar to #16, when the BPF version of the Config program attempts to deserialize
ConfigKeys- this time from account state - there can be mismatches on error codes due to BPF program panics due to memory allocations.In the case of a malformed account with a large
ShortU16vector length, but not enough data for the provided length, if the length causes too large of an allocation, the BPF program will panic (OOM), rather than returningProgramError::InvalidAccountDatalike the builtin does.Again, similar to #16, this would still cause an error, but this change ensures maximum backwards compatibility. Furthermore, writes to a config account's
ConfigKeysare shielded by the input buffer restrictions.Summary of Changes
Add a check for the provided
ShortU16vector length to the program's config account state deserialization, to catch any invalid buffers and avoid OOM panics in favor of backwards-compatible error codes.