Strictly enforce the Commitments max size in CBOR (#835)

masih · web-flow · commit 9c11ba345092 · 2025-01-20T15:40:23.000Z
The cbor-gen does not seem to implicitly enforce the length specified in the underlying Golang array type. Instead, it uses the maximum number of allowed bytes if no `maxlen` struct tag is specified (2MiB). Strictly enforce the max allowed size to avoid potential attack vector. Relates to: * whyrusleeping/cbor-gen#106
diff --git a/gpbft/cbor_gen.go b/gpbft/cbor_gen.go
diff --git a/gpbft/chain.go b/gpbft/chain.go
@@ -56,7 +56,7 @@ type TipSet struct {
 	// Blake2b256-32 CID of the CBOR-encoded power table.
 	PowerTable cid.Cid
 	// Keccak256 root hash of the commitments merkle tree.
-	Commitments [32]byte
+	Commitments [32]byte `cborgen:"maxlen=32"`
 }
 
 // Validates a tipset.
diff --git a/gpbft/gpbft.go b/gpbft/gpbft.go
@@ -85,7 +85,7 @@ type Justification struct {
 type SupplementalData struct {
 	// Merkle-tree of instance-specific commitments. Currently empty but this will eventually
 	// include things like snark-friendly power-table commitments.
-	Commitments [32]byte
+	Commitments [32]byte `cborgen:"maxlen=32"`
 	// The DagCBOR-blake2b256 CID of the power table used to validate the next instance, taking
 	// lookback into account.
 	PowerTable cid.Cid // []PowerEntry

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ type TipSet struct {`
`56`	`56`	`// Blake2b256-32 CID of the CBOR-encoded power table.`
`57`	`57`	`PowerTable cid.Cid`
`58`	`58`	`// Keccak256 root hash of the commitments merkle tree.`
`59`		`- Commitments [32]byte`
	`59`	+ Commitments [32]byte `cborgen:"maxlen=32"`
`60`	`60`	`}`
`61`	`61`
`62`	`62`	`// Validates a tipset.`