Missing length check in TransferHookInstruction::unpack #24
Description
Thanks to @20urc3 for reporting!
Taken from their initial report:
Details
The function TransferHookInstruction::unpack assumes that the input slice rest is large enough to contain a Vec<ExtraAccountMeta>, but never verifies this.
Here is the relevant snippet:
InitializeExtraAccountMetaListInstruction::SPL_DISCRIMINATOR_SLICE => {
let pod_slice = PodSlice::<ExtraAccountMeta>::unpack(rest)?; // ❌ unsafe read
let extra_account_metas = pod_slice.data().to_vec();
Self::InitializeExtraAccountMetaList {
extra_account_metas,
}
}If rest begins with a large u32 value (e.g. 0xEBEBEBEB), PodSlice::unpack() will panic when it tries to create a slice of length * sizeof(ExtraAccountMeta) from rest.
This causes a runtime panic:
thread panicked at slice.rs: range end index 3958107115 out of range for slice of length 0
The function should perform bounds validation before calling PodSlice::unpack.
Note this does panic, but it's not a runtime panic. It's an sBPF program panic, which is handled gracefully by the runtime.