Lack of signedPeerRecord Validation in C++ IdentifyMessageProcessor Leads to Address Injection

[scacaca]

Summary

The C++ implementation of libp2p’s Identify protocol (IdentifyMessageProcessor) does not validate or process the signedPeerRecord field in Identify messages.
This allows malicious peers to inject or forward third-party signed peer records, leading to address poisoning and potential identity spoofing, similar to previously fixed vulnerabilities in Go and JS libp2p implementations.

Expected behavior

When an Identify message includes a signedPeerRecord:

The envelope signature must be verified.

The public key inside the envelope must derive a PeerId equal to the connection’s remotePeerId.

The PeerRecord.peerId must also match this derived PeerId.

Only if all checks succeed should the certified addresses be accepted and stored.

Actual behavior

The current C++ code (IdentifyMessageProcessor::identifyReceived) only verifies the publicKey field.

It does not parse or validate signedPeerRecord.

A malicious peer can forward another peer’s valid signed record, causing addresses of an unrelated peer to be stored.

Relevant log output

Possible Solution

Go libp2p issue: Identity protocol accepts signed peer records without validation
Go libp2p fix: x
The revelent_file

Version

No response

Would you like to work on fixing this bug ?

Yes