Skip to content

fix: bound MerkleProof path length on deserialize#3902

Open
iho wants to merge 1 commit into
mimblewimble:stagingfrom
iho:fix/merkle-proof-read-bounds
Open

fix: bound MerkleProof path length on deserialize#3902
iho wants to merge 1 commit into
mimblewimble:stagingfrom
iho:fix/merkle-proof-read-bounds

Conversation

@iho

@iho iho commented Jul 9, 2026

Copy link
Copy Markdown

Summary

MerkleProof::read used the untrusted path_len directly in Vec::with_capacity. A crafted proof with a huge path length could panic (capacity overflow) or attempt a massive allocation — the same class of issue fixed for PMMR segments in #3850 / reported in #3827.

Changes

  • Cap Merkle proof sibling path length at 64 (O(log n) in practice; far above real proofs)
  • Return TooLargeReadErr for oversized path_len before allocating
  • Cap path preallocation to 16 entries
  • Align StreamingReader::read_fixed_bytes with BinReader’s existing 100k single-read limit
  • Tests for oversized and near-u64::MAX path lengths

Test plan

  • cargo test -p grin_core --test merkle_proof
  • cargo test -p grin_core --test segment

MerkleProof::read trusted path_len from the peer/API and called
Vec::with_capacity without a cap, so a huge path_len could panic with
capacity overflow or force a large allocation. Reject path lengths above
64 (well beyond any legitimate O(log n) proof) and cap preallocation.
Also apply the same 100k single-read limit to StreamingReader that
BinReader already enforces.

Related to segment decode bounds (mimblewimble#3827 / mimblewimble#3850).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant