Skip to content

Reject RPC requests with trailing bytes#9567

Open
ackintosh wants to merge 3 commits into
sigp:unstablefrom
ackintosh:fix/rpc-spec-vialation
Open

Reject RPC requests with trailing bytes#9567
ackintosh wants to merge 3 commits into
sigp:unstablefrom
ackintosh:fix/rpc-spec-vialation

Conversation

@ackintosh

@ackintosh ackintosh commented Jul 2, 2026

Copy link
Copy Markdown
Member

Issue Addressed

#9301

Proposed Changes

Previously, trailing bytes after an inbound RPC request payload were silently ignored and the request was processed as normal. This violates the consensus spec, which requires such input to be rejected with an InvalidRequest error
response.

This PR makes the inbound codec detect trailing bytes and respond to the peer with an InvalidRequest error instead of just closing the stream.

I've verified the fix using the reproduction script from #9301. With this PR, Lighthouse now rejects trailing bytes as expected:

$ go run . --config clients.yaml
[*] Trailing Bytes Spec Violation PoC
[*] Spec: phase0/p2p-interface.md
[*] "A reader MUST consider [any remaining bytes after n SSZ bytes] as invalid input"
[*] Expected: INVALID_REQUEST.
DEBUG peerInfo: ID=16Uiu2HAmAQpT8ZAoWdTN2d2Ju36x2cSuDH6zBrmmAHDGMtiVAyJW Addrs=[/ip4/127.0.0.1/tcp/60589]
  prysm        SPEC VIOLATION — accepts trailing bytes
DEBUG peerInfo: ID=16Uiu2HAmTkd6q26Et4zKD19kebN789Zh78bsa3MLzCNEq1aaRtdS Addrs=[/ip4/127.0.0.1/tcp/60591]
  lighthouse   COMPLIANT — rejects trailing bytes

Additional Info

As noted in the code comment, the trailing-bytes check is best-effort: it only catches trailing bytes that arrive in the same read as the request payload. Bytes arriving in a later read go undetected, because the request stream decodes a single frame and is not polled again.

Detecting those would require an extra read purely to probe for EOF, which adds a network round-trip for little benefit. When trailing bytes go undetected, the behavior simply falls back to the previous one (the request is processed normally), so nothing gets worse in that case.

@ackintosh
ackintosh marked this pull request as ready for review July 3, 2026 23:26
@ackintosh
ackintosh requested a review from jxs as a code owner July 3, 2026 23:26
@chong-he chong-he added ready-for-review The code is ready for review Networking labels Jul 6, 2026

@pawanjay176 pawanjay176 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure about this one. This is another case where being spec compliant just for the sake of it might not be the best idea and just additional code to maintain.

Since we ignore additional bytes, from an attacker's perspective, sending additional bytes is equivalent to sending the correct request, so this is not exploitable in any way afaiu. Correct me if this fixes any particular class of attacks.

@jxs jxs left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, Akihito, thanks for this!
Yeah I agree with Pawan though, I think we should probably make it explicit in the code as you did, but not respond to that otherwise it's as Pawan says and we are feeding invalid requests and just wasting bandwidth

@ackintosh

Copy link
Copy Markdown
Member Author

I agree with both Pawan and João. I don’t think this change prevents any particular class of attacks.

The only reason for this change is to comply with the consensus spec, which explicitly says that implementations MUST reject requests with trailing bytes. If the spec did not use a MUST here, I would also consider this change unnecessary.

Perhaps the right fix is to propose a change to the consensus spec, if we believe rejecting these requests isn't necessary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Networking ready-for-review The code is ready for review

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants