Handle malformed SSZ inputs properly

This commit is contained in:
Zahary Karadjov 2020-01-24 20:35:15 +02:00 committed by zah
parent 70a387d1c7
commit 2a3c237bbb

View File

@ -3,10 +3,23 @@ import
stew/[objects, bitseqs], serialization/testing/tracing, stew/[objects, bitseqs], serialization/testing/tracing,
../spec/[digest, datatypes], ./types ../spec/[digest, datatypes], ./types
template setLen[R, T](a: var array[R, T], length: int) = const
maxListAllocation = 1 * 1024 * 1024 * 1024 # 1 GiB
template setOutputSize[R, T](a: var array[R, T], length: int) =
if length != a.len: if length != a.len:
raise newException(MalformedSszError, "SSZ input of insufficient size") raise newException(MalformedSszError, "SSZ input of insufficient size")
proc setOutputSize[T](s: var seq[T], length: int) {.inline.} =
if sizeof(T) * length > maxListAllocation:
raise newException(MalformedSszError, "SSZ list size is too large to fit in memory")
s.setLen length
proc setOutputSize(s: var string, length: int) {.inline.} =
if length > maxListAllocation:
raise newException(MalformedSszError, "SSZ string is too large to fit in memory")
s.setLen length
template assignNullValue(loc: untyped, T: type): auto = template assignNullValue(loc: untyped, T: type): auto =
when T is ref|ptr: when T is ref|ptr:
loc = nil loc = nil
@ -20,8 +33,9 @@ template assignNullValue(loc: untyped, T: type): auto =
func fromSszBytes*(T: type SomeInteger, data: openarray[byte]): T = func fromSszBytes*(T: type SomeInteger, data: openarray[byte]): T =
## Convert directly to bytes the size of the int. (e.g. ``uint16 = 2 bytes``) ## Convert directly to bytes the size of the int. (e.g. ``uint16 = 2 bytes``)
## All integers are serialized as **little endian**. ## All integers are serialized as **little endian**.
## TODO: Assumes data points to a sufficiently large buffer if data.len < sizeof(result):
doAssert data.len == sizeof(result) raise newException(MalformedSszError, "SSZ input of insufficient size")
# TODO: any better way to get a suitably aligned buffer in nim??? # TODO: any better way to get a suitably aligned buffer in nim???
# see also: https://github.com/nim-lang/Nim/issues/9206 # see also: https://github.com/nim-lang/Nim/issues/9206
var tmp: uint64 var tmp: uint64
@ -37,10 +51,13 @@ func fromSszBytes*(T: type SomeInteger, data: openarray[byte]): T =
func fromSszBytes*(T: type bool, data: openarray[byte]): T = func fromSszBytes*(T: type bool, data: openarray[byte]): T =
# TODO: spec doesn't say what to do if the value is >1 - we'll use the C # TODO: spec doesn't say what to do if the value is >1 - we'll use the C
# definition for now, but maybe this should be a parse error instead? # definition for now, but maybe this should be a parse error instead?
fromSszBytes(uint8, data) != 0 if data.len == 0 or data[0] > byte(1):
raise newException(MalformedSszError, "invalid boolean value")
data[0] == 1
func fromSszBytes*(T: type Eth2Digest, data: openarray[byte]): T = func fromSszBytes*(T: type Eth2Digest, data: openarray[byte]): T =
doAssert data.len == sizeof(result.data) if data.len < sizeof(result.data):
raise newException(MalformedSszError, "SSZ input of insufficient size")
copyMem(result.data.addr, unsafeAddr data[0], sizeof(result.data)) copyMem(result.data.addr, unsafeAddr data[0], sizeof(result.data))
template fromSszBytes*(T: type Slot, bytes: openarray[byte]): Slot = template fromSszBytes*(T: type Slot, bytes: openarray[byte]): Slot =
@ -61,7 +78,7 @@ func fromSszBytes*[N](T: type BitList[N], bytes: openarray[byte]): auto =
func readSszValue*(input: openarray[byte], T: type): T = func readSszValue*(input: openarray[byte], T: type): T =
mixin fromSszBytes, toSszType mixin fromSszBytes, toSszType
type T {.used.}= type(result) type T {.used.} = type(result)
template readOffset(n: int): int {.used.}= template readOffset(n: int): int {.used.}=
int fromSszBytes(uint32, input[n ..< n + offsetSize]) int fromSszBytes(uint32, input[n ..< n + offsetSize])
@ -69,17 +86,20 @@ func readSszValue*(input: openarray[byte], T: type): T =
when useListType and result is List: when useListType and result is List:
type ElemType = type result[0] type ElemType = type result[0]
result = T readSszValue(input, seq[ElemType]) result = T readSszValue(input, seq[ElemType])
elif result is ptr|ref: elif result is ptr|ref:
if input.len > 0: if input.len > 0:
new result new result
result[] = readSszValue(input, type(result[])) result[] = readSszValue(input, type(result[]))
elif result is Option: elif result is Option:
if input.len > 0: if input.len > 0:
result = some readSszValue(input, result.T) result = some readSszValue(input, result.T)
elif result is string|seq|openarray|array: elif result is string|seq|openarray|array:
type ElemType = type result[0] type ElemType = type result[0]
when ElemType is byte|char: when ElemType is byte|char:
result.setLen input.len result.setOutputSize input.len
if input.len > 0: if input.len > 0:
copyMem(addr result[0], unsafeAddr input[0], input.len) copyMem(addr result[0], unsafeAddr input[0], input.len)
@ -91,7 +111,7 @@ func readSszValue*(input: openarray[byte], T: type): T =
ex.actualSszSize = input.len ex.actualSszSize = input.len
ex.elementSize = elemSize ex.elementSize = elemSize
raise ex raise ex
result.setLen input.len div elemSize result.setOutputSize input.len div elemSize
trs "READING LIST WITH LEN ", result.len trs "READING LIST WITH LEN ", result.len
for i in 0 ..< result.len: for i in 0 ..< result.len:
trs "TRYING TO READ LIST ELEM ", i trs "TRYING TO READ LIST ELEM ", i
@ -104,16 +124,20 @@ func readSszValue*(input: openarray[byte], T: type): T =
# This is an empty list. # This is an empty list.
# The default initialization of the return value is fine. # The default initialization of the return value is fine.
return return
elif input.len < offsetSize:
raise newException(MalformedSszError, "SSZ input of insufficient size")
var offset = readOffset 0 var offset = readOffset 0
trs "GOT OFFSET ", offset trs "GOT OFFSET ", offset
let resultLen = offset div offsetSize let resultLen = offset div offsetSize
trs "LEN ", resultLen trs "LEN ", resultLen
result.setLen resultLen result.setOutputSize resultLen
for i in 1 ..< resultLen: for i in 1 ..< resultLen:
let nextOffset = readOffset(i * offsetSize) let nextOffset = readOffset(i * offsetSize)
if nextOffset == offset: if nextOffset <= offset:
assignNullValue result[i - 1], ElemType raise newException(MalformedSszError, "SSZ list element offsets are not monotonically increasing")
elif nextOffset > input.len:
raise newException(MalformedSszError, "SSZ list element offset points past the end of the input")
else: else:
result[i - 1] = readSszValue(input[offset ..< nextOffset], ElemType) result[i - 1] = readSszValue(input[offset ..< nextOffset], ElemType)
offset = nextOffset offset = nextOffset
@ -121,6 +145,10 @@ func readSszValue*(input: openarray[byte], T: type): T =
result[resultLen - 1] = readSszValue(input[offset ..< input.len], ElemType) result[resultLen - 1] = readSszValue(input[offset ..< input.len], ElemType)
elif result is object|tuple: elif result is object|tuple:
const minimallyExpectedSize = fixedPortionSize(T)
if input.len < minimallyExpectedSize:
raise newException(MalformedSszError, "SSZ input of insufficient size")
enumInstanceSerializedFields(result, fieldName, field): enumInstanceSerializedFields(result, fieldName, field):
const boundingOffsets = T.getFieldBoundingOffsets(fieldName) const boundingOffsets = T.getFieldBoundingOffsets(fieldName)
trs "BOUNDING OFFSET FOR FIELD ", fieldName, " = ", boundingOffsets trs "BOUNDING OFFSET FOR FIELD ", fieldName, " = ", boundingOffsets
@ -139,6 +167,10 @@ func readSszValue*(input: openarray[byte], T: type): T =
endOffset = if boundingOffsets[1] == -1: input.len endOffset = if boundingOffsets[1] == -1: input.len
else: readOffset(boundingOffsets[1]) else: readOffset(boundingOffsets[1])
trs "VAR FIELD ", startOffset, "-", endOffset trs "VAR FIELD ", startOffset, "-", endOffset
if startOffset >= endOffset:
raise newException(MalformedSszError, "SSZ field offsets are not monotonically increasing")
elif endOffset > input.len:
raise newException(MalformedSszError, "SSZ field offset points past the end of the input")
# TODO The extra type escaping here is a work-around for a Nim issue: # TODO The extra type escaping here is a work-around for a Nim issue:
when type(FieldType) is type(SszType): when type(FieldType) is type(SszType):