fix(net): bound governance vote signature deserialization#7440
Conversation
8424a28 to
e444dda
Compare
|
@coderabbitai review |
✅ Action performedReview finished.
|
WalkthroughGovernance vote network deserialization now caps signature payloads at the BLS signature size and accepts only compact or BLS signature lengths. Malformed or truncated network votes raise Estimated code review effort: 3 (Moderate) | ~20 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
This pull request has conflicts, please rebase. |
Limit network governance-vote signature reads to 96 bytes before allocation and require the structurally valid 65-byte ECDSA or 96-byte BLS encodings. Score malformed or truncated governance vote messages with 100 misbehavior points while preserving disk, hash, and outbound serialization behavior. Add focused unit coverage for malformed, oversized, and valid signature encodings.
e444dda to
8f0b813
Compare
|
✅ Review complete (commit 8f0b813) |
thepastaclaw
left a comment
There was a problem hiding this comment.
Code Review
PR #7440 correctly bounds governance-vote signature deserialization to the two legitimate wire encodings (65-byte compact ECDSA, 96-byte BLS) via LIMITED_VECTOR, throwing before allocation on oversized counts, and routes malformed/truncated votes to 100-point misbehavior scoring instead of the outer log-only handler. Disk, hash, and write serialization paths remain unbounded as intended, and static_asserts keep the size constants tied to CPubKey/CBLSSignature. The one gap is test coverage: new tests exercise only the raw stream deserialization boundary, not the handler-level peer-scoring behavior this PR introduces.
Source (experiment sonnet-primary-opus-quarter-sample-20260710, cohort sonnet_primary, bucket 2): reviewers codex/general=gpt-5.6-sol(completed); sonnet5/general=claude-sonnet-5(completed); codex/dash-core-commit-history=gpt-5.6-sol(completed); sonnet5/dash-core-commit-history=claude-sonnet-5(completed); verifier=verifier-sonnet5-7440-1783711121=claude-sonnet-5; orchestrator=openai/gpt-5.6-sol reasoning=high (orchestration-only, not a reviewer/verifier).
🟡 1 suggestion(s)
🤖 Prompt for all review comments with AI agents
These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.
In `src/test/governance_vote_wire_tests.cpp`:
- [SUGGESTION] src/test/governance_vote_wire_tests.cpp:1-96: No test exercises the peer-misbehavior-scoring path this PR adds
All four new tests call `ss >> vote` directly and assert on `std::ios_base::failure`. None of them go through `NetGovernance::ProcessMessage`, which is where this PR's actual security behavior lives: catching that exception and calling `PeerMisbehaving(peer.GetId(), 100, "malformed governance vote")` (net_governance.cpp:199-204). As written, a regression that removes the catch, changes the penalty, or forgets the `return` after scoring would leave every test in this file green while silently breaking peer-scoring. Add a handler-level test that feeds an oversized or truncated `govobjvote` payload through `NetGovernance::ProcessMessage` and asserts the peer accumulates 100 misbehavior points.
| // Copyright (c) 2026 The Dash Core developers | ||
| // Distributed under the MIT software license, see the accompanying | ||
| // file COPYING or http://www.opensource.org/licenses/mit-license.php. | ||
|
|
||
| #include <governance/vote.h> | ||
| #include <primitives/transaction.h> | ||
| #include <serialize.h> | ||
| #include <streams.h> | ||
| #include <uint256.h> | ||
| #include <version.h> | ||
|
|
||
| #include <test/util/setup_common.h> | ||
|
|
||
| #include <boost/test/unit_test.hpp> | ||
|
|
||
| #include <ios> | ||
| #include <limits> | ||
| #include <vector> | ||
|
|
||
| BOOST_FIXTURE_TEST_SUITE(governance_vote_wire_tests, BasicTestingSetup) | ||
|
|
||
| namespace { | ||
| void WriteVoteHeader(CDataStream& ss) | ||
| { | ||
| ss << COutPoint{uint256::ONE, 0} << uint256::ONE | ||
| << int{1} /*outcome*/ << int{1} /*signal*/ << int64_t{1'700'000'000}; | ||
| } | ||
|
|
||
| CDataStream MakeVoteWire(size_t sig_len) | ||
| { | ||
| CDataStream ss(SER_NETWORK, PROTOCOL_VERSION); | ||
| WriteVoteHeader(ss); | ||
| ss << std::vector<unsigned char>(sig_len, 0xAA); | ||
| return ss; | ||
| } | ||
| } // namespace | ||
|
|
||
| // Reject invalid signature lengths, including a maximal CompactSize prefix. | ||
| BOOST_AUTO_TEST_CASE(rejects_invalid_sizes) | ||
| { | ||
| for (size_t bad : {size_t{0}, size_t{64}, size_t{66}, size_t{95}, size_t{97}, size_t{128}}) { | ||
| CDataStream ss = MakeVoteWire(bad); | ||
| CGovernanceVote vote; | ||
| BOOST_CHECK_THROW(ss >> vote, std::ios_base::failure); | ||
| } | ||
|
|
||
| CDataStream ss(SER_NETWORK, PROTOCOL_VERSION); | ||
| WriteVoteHeader(ss); | ||
| WriteCompactSize(ss, std::numeric_limits<uint64_t>::max()); | ||
| CGovernanceVote vote; | ||
| BOOST_CHECK_THROW(ss >> vote, std::ios_base::failure); | ||
| } | ||
|
|
||
| // Truncated element bytes must surface as ios_base::failure so the govobjvote | ||
| // handler scores the peer. | ||
| BOOST_AUTO_TEST_CASE(truncated_signature_throws_ios_failure) | ||
| { | ||
| CDataStream ss(SER_NETWORK, PROTOCOL_VERSION); | ||
| WriteVoteHeader(ss); | ||
| ss << uint8_t{CGovernanceVote::BLS_SIG_SIZE}; | ||
| ss.write(MakeByteSpan(std::vector<unsigned char>(10, 0xBB))); | ||
|
|
||
| CGovernanceVote vote; | ||
| BOOST_CHECK_THROW(ss >> vote, std::ios_base::failure); | ||
| } | ||
|
|
||
| // 65-byte ECDSA and 96-byte BLS round-trip cleanly over the network. | ||
| BOOST_AUTO_TEST_CASE(accepts_legitimate_boundary_sizes) | ||
| { | ||
| for (size_t sig_len : {CGovernanceVote::COMPACT_SIG_SIZE, CGovernanceVote::BLS_SIG_SIZE}) { | ||
| CDataStream ss = MakeVoteWire(sig_len); | ||
| const size_t wire_bytes = ss.size(); | ||
|
|
||
| CGovernanceVote vote; | ||
| BOOST_REQUIRE_NO_THROW(ss >> vote); | ||
| BOOST_CHECK_EQUAL(ss.size(), 0U); | ||
|
|
||
| CDataStream out(SER_NETWORK, PROTOCOL_VERSION); | ||
| out << vote; | ||
| BOOST_CHECK_EQUAL(out.size(), wire_bytes); | ||
| } | ||
| } | ||
|
|
||
| // SER_DISK reads stay unbounded — existing on-disk data must load unchanged. | ||
| BOOST_AUTO_TEST_CASE(ser_disk_deserialization_unaffected) | ||
| { | ||
| CDataStream ss(SER_DISK, PROTOCOL_VERSION); | ||
| WriteVoteHeader(ss); | ||
| ss << std::vector<unsigned char>(128, 0xCD); | ||
|
|
||
| CGovernanceVote vote; | ||
| BOOST_REQUIRE_NO_THROW(ss >> vote); | ||
| BOOST_CHECK_EQUAL(ss.size(), 0U); | ||
| } | ||
|
|
||
| BOOST_AUTO_TEST_SUITE_END() |
There was a problem hiding this comment.
🟡 Suggestion: No test exercises the peer-misbehavior-scoring path this PR adds
All four new tests call ss >> vote directly and assert on std::ios_base::failure. None of them go through NetGovernance::ProcessMessage, which is where this PR's actual security behavior lives: catching that exception and calling PeerMisbehaving(peer.GetId(), 100, "malformed governance vote") (net_governance.cpp:199-204). As written, a regression that removes the catch, changes the penalty, or forgets the return after scoring would leave every test in this file green while silently breaking peer-scoring. Add a handler-level test that feeds an oversized or truncated govobjvote payload through NetGovernance::ProcessMessage and asserts the peer accumulates 100 misbehavior points.
source: ['codex']
Uses the shared bounded-vector deserialization primitive merged in #7439.
Motivation
Governance vote signatures were deserialized through the generic byte-vector path. A peer could declare a very large signature length, causing allocation before the stream reported truncation. The outer message-processing catch did not score or disconnect the peer, allowing repeated malformed messages.
Changes
Testing
./src/test/test_dash --run_test=governance_vote_wire_tests(4/4 tests)./src/test/test_dash --run_test=serialize_tests(10/10 tests)test/lint/lint-python.pygit diff --check upstream/develop...HEAD