feat(consensus): additional sanity checks for the size of proposed blocks

[cason]

Hardens tests regarding the size of proposed blocks, namely:

• The byte size of a proposal block Part should be constant (== types.BlockPartSizeBytes), except for the last part of a PartSet (<= types.BlockPartSizeBytes)
• A valid Proposal should not enclose a PartSet enabling the building of a ProposalBlock with size larger than the configured ConsensusParams.Block.MaxBytes. Notice that building a ProposalBlock larger than the allowed would fail in any case, but the proposed changes also invalidate the associated Proposal.

---

PR checklist

• Tests written/updated
• Changelog entry added in .changelog (we use unclog to manage our changelog)
• Updated relevant documentation (docs/ or spec/) and code comments

[sergio-mena]

We're still using part.Proof.Total here, are we 100% sure this total will always be in sync with the total number of parts?

[cason]

Yes, this is a good point. But we don't have the Total field in each Part, we only have it on the PartSet.

[cason]

The point here is that wrong values for Proof.Total and Proof.Index should make the Merkle-tree verification to fail. But I am not sure whether we test this at this point. Notice that the Part tests have nothing on the arrays used to fill the Part and the Part.Proof bytes.

[sergio-mena]

Is there a possibility that Part is used without populating part.Proof? (I guess no, but double-checking).

[cason]

It should not be possible, as the next check (line 40) would fail. This check, however, is also a valid check: integer fields are >= 0, hashes have the right length.

[cason]

So, status regarding this:

• we can trust Proof.Index, as change it causes the proof verification to fail
• we can't trust Proof.Total, as it is irrelevant for the proof verification provided that Proof.Index < Proof.Total.

[cason]

Ok, now Proof.Total should be correct, otherwise the Part is not added. Lets check if something breaks due to this additional check.

[sergio-mena]

Excellent!

[sergio-mena]

Suggested change

	maxBlockParts := maxBytes / int64(types.BlockPartSizeBytes)
	if maxBytes > maxBlockParts*int64(types.BlockPartSizeBytes) {
	maxBlockParts += 1
	}
	numBlockParts := int64(propBlockParts.Total())
	maxBlockParts := (maxBytes-1) / int64(types.BlockPartSizeBytes) + 1
	numBlockParts := int64(propBlockParts.Total())

How about this instead?

[cason]

I prefer using a different method, even if it is less efficient/smart, when testing.

[sergio-mena]

Good point

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[sergio-mena]

I was convinced I had already approved this (sorry for delay)

[thanethomson]

Is this going to be backported? If so, to which version(s)?

[cason]

Is this going to be backported? If so, to which version(s)?

I would say all releases. Why?

[thanethomson]

I would say all releases. Why?

There are currently no backport labels on the PR.

Let's get this over the finish line please.

[cason]

There are currently no backport labels on the PR.

Sorry, my bad. @sergio-mena, can you confirm we are backporting this to all releases?

[sergio-mena]

As this comes from our work in a security advisory, I'd say we should backport it to all releases