Consistently bounds-check vin/vout access #13268
Conversation
|
I'd suggest dropping the third commit, which at first glance would seem to introduce a number of vulnerabilities. I agree though that it would be useful to add tests that would fail if that third commit were introduced. |
|
@sdaftuar thanks, by vulnerabilities, I suppose you mean there is a risk of maliciously-crafted transactions bringing down the recipient node by triggering the throws, is that right? I hadn't been considering the changes through that lens, but I can take a second look with that in mind. |
|
@sdaftuar I removed the third commit. Seems the remaining cases should be safe given they're already asserted against or otherwise assumed to be safe, such that the invalid values are not contended with at all. |
Empact
changed the title
|
Concept ACK on clarifying bounds, but I really don't like the use of exceptions replacing explicit prior checks. I understand that they accomplish the same thing, but IMO it is far less safe because it equates checks that are allowed to fail with those that logically never should. It also turns potential compile-time checks into guaranteed runtime ones. Lastly, it really harms code clarity. This one for example, is a significant regression IMO. |
According to http://en.cppreference.com/w/cpp/error/logic_error, this exception type "reports errors that are a consequence of faulty logic within the program such as violating logical preconditions or class invariants", so it doesn't seem switching from But there may still be practical reasons to favor throwing exceptions explicitly or using |
There was a problem hiding this comment.
utACK 174de7e8fd4b4e52714029b6f6dd27c1ed5d080e. Change looks correct, but I think it would be safer to only add exceptions in places that currently trigger out of bounds memory accesses, not in places that currently trigger asserts, since assert behavior is probably preferable in most of these cases.
This seems to only be a philosophical distinction to me. Yes, maybe Perhaps we should work on making those catch statements be more specific and guarantee they can't catch |
|
Ok my earlier message (now removed) related to a whitespace error - we only have 6 relevant regex: |
|
Checks are now strictly additional. |
|
Removed a check relative to |
| The last travis run for this pull request was 65 days ago and is thus outdated. To trigger a fresh travis build, this pull request should be closed and re-opened. |
This adds bounds checking to any access where bounds checking was not already locally ensured. Most of the remaining unchecked access is in the context of a loop over valid indexes, so already safe.
* CWallet::GetDebit, SignTransaction, IsMine, IsAllFromMe * CCoinsViewMemPool::GetCoin An out of range transaction output is invalid / an error condition, so let's blow up rather than skip the output or default. Comment the exception: that SIGHASH single with out of bounds index is valid Notes: * `at` does range checking. * `COutpoint.n` is not guaranteed to be valid - e.g.its default value is -1.
Empact
force-pushed
the
vout-bounds-check
branch
from
a1e930f to
47ef1a5
Compare
| Needs rebase |
An out of range transaction output is invalid / an error condition, so let'sblow up rather than skip the output or default.
I audited indexing into vin/vout looking for unchecked
or quietly handled bounds errorsand converted them to throw on out of bounds, because noisy failure is better than silent failure.Disclaimer: I'm not that familiar with the role that out of bounds outputs and inputs might play in the network, apart from the SIGHASH_SINGLE case commented below which was established in the test. Please do educate me if I'm misguided on this. If there are more "valid but invalid" cases we should get them under test.