fix(drive): replace silent epoch u16 truncation with checked conversion#3293
Conversation
… conversion Replace all `as u16` casts with `try_u32_to_u16()` checked conversions in proof verification to prevent silent truncation of epoch indices, limits, and offsets received from platform nodes. A malicious node returning epoch=65536 in metadata would cause the client to verify against epoch 0 due to u32-to-u16 truncation, potentially accepting a proof for the wrong epoch. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## v3.1-dev #3293 +/- ##
============================================
- Coverage 70.42% 68.28% -2.15%
============================================
Files 3293 3293
Lines 262598 262598
============================================
- Hits 184931 179310 -5621
- Misses 77667 83288 +5621
🚀 New features to boost your workflow:
|
Issue Being Fixed or Feature Implemented
Security audit found that
mtd.epoch as u16silently truncatesu32values > 65535. A malicious node returningepoch = 65536in metadata would cause the client to verify against epoch 0 instead, potentially accepting a proof for the wrong epoch.What Was Done
as u16casts in proof verification withtry_u32_to_u16()checked conversions that return an error on overflowlimitandoffsettruncations in the same fileMAX_EPOCHguard in favor of the existingtry_u32_to_u16()helperHow Has This Been Tested?
try_u32_to_u16errors on epoch > u16::MAX (65536, u32::MAX, 100000)u32_to_u16_opterrors on overflow and works for valid valuescargo test -p drive-proof-verifierpasses (4 new tests)cargo clippy -p drive-proof-verifiercleancargo fmt --allcleanBreaking Changes
None. This only changes error behavior for values that were previously silently corrupted.
Checklist
🤖 Generated with Claude Code