fix(transaction): reject malformed field 11 instead of dropping it#68
Closed
toddfil wants to merge 2 commits into
Closed
fix(transaction): reject malformed field 11 instead of dropping it#68toddfil wants to merge 2 commits into
toddfil wants to merge 2 commits into
Conversation
Collaborator
|
Thanks for the PR! Rolled fwd with your commits in the linked PR |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Don't silently swallow a malformed field 11
So there's this branch in
Deserializethat always bugged me:That's it. The "unusual case" is just... an empty block. If field 11
(
feePayerSignatureOrSender) decodes to a non-empty byte string that isn't thesingle
0x00marker, we shrug and move on. The data is gone, no error, nothing.Why does that matter? Field 11 is security-relevant — it's where the fee-payer
signature or the await-fee-payer marker lives. For a
0x76transaction the onlylegal shapes are:
0x80) — no fee payer,0x00byte — awaiting fee payer,[yParity, r, s]tuple — actual fee-payer signature.A bare byte string (say, a 20-byte address — which only belongs in the
0x78signing form, not on the wire) is malformed. Accepting it means we happily parse
a transaction that nobody should consider valid, and we throw away whatever was
there without telling the caller. A parser for a security-critical format should
reject what it doesn't understand, not guess.
So now we return an error:
Added
TestDeserializeRejectsMalformedField11, which hand-builds a 13-field tx witha 20-byte value in slot 11 and checks we now error out. Rest of the suite is still
green.