Reject RPC requests with trailing bytes#9567
Conversation
pawanjay176
left a comment
There was a problem hiding this comment.
I'm not sure about this one. This is another case where being spec compliant just for the sake of it might not be the best idea and just additional code to maintain.
Since we ignore additional bytes, from an attacker's perspective, sending additional bytes is equivalent to sending the correct request, so this is not exploitable in any way afaiu. Correct me if this fixes any particular class of attacks.
jxs
left a comment
There was a problem hiding this comment.
Hi, Akihito, thanks for this!
Yeah I agree with Pawan though, I think we should probably make it explicit in the code as you did, but not respond to that otherwise it's as Pawan says and we are feeding invalid requests and just wasting bandwidth
|
I agree with both Pawan and João. I don’t think this change prevents any particular class of attacks. The only reason for this change is to comply with the consensus spec, which explicitly says that implementations MUST reject requests with trailing bytes. If the spec did not use a MUST here, I would also consider this change unnecessary. Perhaps the right fix is to propose a change to the consensus spec, if we believe rejecting these requests isn't necessary. |
Issue Addressed
#9301
Proposed Changes
Previously, trailing bytes after an inbound RPC request payload were silently ignored and the request was processed as normal. This violates the consensus spec, which requires such input to be rejected with an
InvalidRequesterrorresponse.
This PR makes the inbound codec detect trailing bytes and respond to the peer with an
InvalidRequesterror instead of just closing the stream.I've verified the fix using the reproduction script from #9301. With this PR, Lighthouse now rejects trailing bytes as expected:
Additional Info
As noted in the code comment, the trailing-bytes check is best-effort: it only catches trailing bytes that arrive in the same read as the request payload. Bytes arriving in a later read go undetected, because the request stream decodes a single frame and is not polled again.
Detecting those would require an extra read purely to probe for EOF, which adds a network round-trip for little benefit. When trailing bytes go undetected, the behavior simply falls back to the previous one (the request is processed normally), so nothing gets worse in that case.