feat(gossipsub): port 55e4a64 onto master

Pull-Request: #6359.

Author: jxs

protocols/gossipsub/CHANGELOG.md

@@ -57,6 +57,10 @@
 - Avoid direct casting from u128 to u64.
   See [PR 6211](https://github.com/libp2p/rust-libp2p/pull/6211).
 
+## 0.49.4
+- Harden time arithmetic and bound remote PRUNE backoff.
+  See [CVE](https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-xqmp-fxgv-xvq5)
+
 ## 0.49.3
 - Ignore invalid backoff values on peer prune.
   See [CVE GHSA-gc42-3jg7-rxr2](https://github.com/libp2p/rust-libp2p/security/advisories/GHSA-gc42-3jg7-rxr2)

protocols/gossipsub/src/backoff.rs

@@ -158,7 +158,10 @@ impl BackoffStorage {
             let now = Instant::now();
             s.retain(|(topic, peer)| {
                 let keep = match Self::get_backoff_time_from_backoffs(backoffs, topic, peer) {
-                    Some(backoff_time) => backoff_time + slack > now,
+                    Some(backoff_time) => backoff_time
+                        .checked_add(slack)
+                        .map(|backoff| backoff > now)
+                        .unwrap_or(false),
                     None => false,
                 };
                 if !keep {

protocols/gossipsub/src/behaviour.rs

@@ -92,6 +92,9 @@ const IDONTWANT_CAP: usize = 10_000;
 /// IDONTWANT timeout before removal.
 const IDONTWANT_TIMEOUT: Duration = Duration::new(3, 0);
 
+/// Max allowed PRUNE backoff, 1 hour.
+const MAX_REMOTE_PRUNE_BACKOFF_SECONDS: u64 = 3600;
+
 /// Determines if published messages should be signed or not.
 ///
 /// Without signing, a number of privacy preserving modes can be selected.
@@ -1414,11 +1417,14 @@ where
             iwant_ids_vec.truncate(iask);
             *iasked += iask;
 
-            self.gossip_promises.add_promise(
-                *peer_id,
-                &iwant_ids_vec,
-                Instant::now() + self.config.iwant_followup_time(),
-            );
+            let followup_time = Instant::now()
+                .checked_add(self.config.iwant_followup_time())
+                .unwrap_or_else(|| {
+                    tracing::error!("Invalid iwant_followup_time using Instant::now()");
+                    Instant::now()
+                });
+            self.gossip_promises
+                .add_promise(*peer_id, &iwant_ids_vec, followup_time);
             tracing::trace!(
                 peer=%peer_id,
                 "IHAVE: Asking for the following messages from peer: {:?}",
@@ -1553,11 +1559,26 @@ where
                             }
                             peer_score.add_penalty(peer_id, 1);
 
-                            // check the flood cutoff
-                            let flood_cutoff = (backoff_time + self.config.graft_flood_threshold())
-                                - self.config.prune_backoff();
-                            if flood_cutoff > now {
-                                // extra penalty
+                            // Apply an extra graft-backoff penalty only when the peer is still
+                            // far enough from backoff expiry.
+                            // This compares durations only,
+                            // avoiding Instant arithmetic and handling config edge cases
+                            // safely: any active backoff
+                            // qualifies for the extra penalty.
+                            let apply_extra_penalty = match self
+                                .config
+                                .prune_backoff()
+                                .checked_sub(self.config.graft_flood_threshold())
+                            {
+                                Some(required_remaining) => {
+                                    let remaining_backoff =
+                                        backoff_time.saturating_duration_since(now);
+                                    remaining_backoff > required_remaining
+                                }
+                                // graft_flood_threshold >= prune_backoff
+                                None => true,
+                            };
+                            if apply_extra_penalty {
                                 peer_score.add_penalty(peer_id, 1);
                             }
                         }
@@ -1708,10 +1729,11 @@ where
             }
         }
         if always_update_backoff || peer_removed {
-            let time = if let Some(backoff) = backoff {
-                Duration::from_secs(backoff)
-            } else {
-                self.config.prune_backoff()
+            let time = match backoff {
+                Some(backoff) => {
+                    Duration::from_secs(std::cmp::min(backoff, MAX_REMOTE_PRUNE_BACKOFF_SECONDS))
+                }
+                None => self.config.prune_backoff(),
             };
             // is there a backoff specified by the peer? if so obey it.
             self.backoffs.update_backoff(topic_hash, peer_id, time);
@@ -2589,7 +2611,7 @@ where
             let fanout = &mut self.fanout; // help the borrow checker
             let fanout_ttl = self.config.fanout_ttl();
             self.fanout_last_pub.retain(|topic_hash, last_pub_time| {
-                if *last_pub_time + fanout_ttl < Instant::now() {
+                if fanout_ttl < Instant::now().saturating_duration_since(*last_pub_time) {
                     tracing::debug!(
                         topic=%topic_hash,
                         "HEARTBEAT: Fanout topic removed due to timeout"
@@ -2704,7 +2726,7 @@ where
         // Flush stale IDONTWANTs.
         for peer in self.connected_peers.values_mut() {
             while let Some((_front, instant)) = peer.dont_send.front() {
-                if (*instant + IDONTWANT_TIMEOUT) >= Instant::now() {
+                if IDONTWANT_TIMEOUT >= Instant::now().saturating_duration_since(*instant) {
                     break;
                 } else {
                     peer.dont_send.pop_front();

protocols/gossipsub/src/peer_score.rs

@@ -606,9 +606,13 @@ impl PeerScore {
                 topic_stats.mesh_message_deliveries_active = false;
             }
 
-            peer_stats.status = ConnectionStatus::Disconnected {
-                expire: Instant::now() + self.params.retain_score,
-            };
+            let expire = Instant::now()
+                .checked_add(self.params.retain_score)
+                .unwrap_or_else(|| {
+                    tracing::error!("invalid retain_score value, using Instant::now()");
+                    Instant::now()
+                });
+            peer_stats.status = ConnectionStatus::Disconnected { expire };
         }
     }
 

protocols/gossipsub/src/time_cache.rs

@@ -140,11 +140,17 @@ where
         self.remove_expired_keys(now);
         match self.map.entry(key) {
             Occupied(entry) => Entry::Occupied(OccupiedEntry { entry }),
-            Vacant(entry) => Entry::Vacant(VacantEntry {
-                expiration: now + self.ttl,
-                entry,
-                list: &mut self.list,
-            }),
+            Vacant(entry) => {
+                let expiration = now.checked_add(self.ttl).unwrap_or_else(|| {
+                    tracing::error!("invalid time cache ttl");
+                    now
+                });
+                Entry::Vacant(VacantEntry {
+                    expiration,
+                    entry,
+                    list: &mut self.list,
+                })
+            }
         }
     }