gossip: epoch slots and account hashes sanitizers

ravyu-jump · ravyu-jump · commit 4ed5c4e53025 · 2025-09-24T15:41:30.000Z
diff --git a/src/flamenco/gossip/fd_gossip_msg_parse.c b/src/flamenco/gossip/fd_gossip_msg_parse.c
@@ -226,9 +226,15 @@ fd_gossip_msg_crds_account_hashes_parse( fd_gossip_view_crds_value_t * crds_val,
   CHECK_INIT( payload, payload_sz, start_offset );
   CHECK_LEFT( 32U ); crds_val->pubkey_off = CUR_OFFSET                                           ; INC( 32U );
   CHECK_LEFT(  8U ); ulong hashes_len     = FD_LOAD( ulong, CURSOR )                             ; INC(  8U );
-  CHECKED_INC( hashes_len*32U ); /* overflowing this currently doesn't matter, but be careful */
-  
+  slot_hash_pair_t const * hashes = (slot_hash_pair_t const *)CURSOR;
+  CHECK( hashes_len<(ULONG_MAX-39U)/40U ); /* to prevent overflow in next check */
+  CHECKED_INC( hashes_len*40U );
   CHECKED_WALLCLOCK_LOAD( crds_val->wallclock_nanos );
+
+  /* https://github.com/anza-xyz/agave/blob/bff4df9cf6f41520a26c9838ee3d4d8c024a96a1/gossip/src/crds_data.rs#L226-L230 */
+  for( ulong i=0UL; i<hashes_len; i++ ) {
+    CHECK( hashes[i].slot<MAX_SLOT );
+  }
   return BYTES_CONSUMED;
 }
 
@@ -239,18 +245,32 @@ fd_gossip_msg_crds_epoch_slots_parse( fd_gossip_view_crds_value_t * crds_val,
                                       ulong                         start_offset ) {
   CHECK_INIT( payload, payload_sz, start_offset );
   CHECK_LEFT(  1U ); crds_val->epoch_slots->index = FD_LOAD( uchar, CURSOR )                   ; INC(  1U );
+  /* https://github.com/anza-xyz/agave/blob/bff4df9cf6f41520a26c9838ee3d4d8c024a96a1/gossip/src/crds_data.rs#L67-L107 */
+  CHECK( crds_val->epoch_slots->index<FD_GOSSIP_EPOCH_SLOTS_IDX_MAX );
   CHECK_LEFT( 32U ); crds_val->pubkey_off         = CUR_OFFSET                                 ; INC( 32U );
   CHECK_LEFT(  8U ); ulong slots_len              = FD_LOAD( ulong, CURSOR )                   ; INC(  8U );
 
   for( ulong i=0UL; i<slots_len; i++ ) {
     CHECK_LEFT( 4U ); uint is_uncompressed = FD_LOAD( uint, CURSOR )                           ; INC(  4U );
     if( is_uncompressed ) {
+      CHECK_LEFT( 8U ); ulong first_slot = FD_LOAD( ulong, CURSOR )                            ; INC(  8U );
+      CHECK_LEFT( 8U ); ulong num        = FD_LOAD( ulong, CURSOR )                            ; INC(  8U );
 
       ulong  bits_off, bits_len, bits_cnt;
       CHECKED_CALL_INC( decode_bitvec_u8( payload, payload_sz, CUR_OFFSET, &bits_off, &bits_len, &bits_cnt ) );
 
+      /* https://github.com/anza-xyz/agave/blob/bff4df9cf6f41520a26c9838ee3d4d8c024a96a1/gossip/src/epoch_slots.rs#L24-L43 */
+      CHECK( first_slot<MAX_SLOT );
+      CHECK( num<=MAX_SLOTS_PER_EPOCH_SLOT );
+      CHECK( bits_cnt%8U==0U ); /* must be multiple of 8 */
+      CHECK( bits_cnt==bits_len*8U ); /* stricter than check in decode_bitvec_u8 */
     } else {
-      CHECKED_INC( 8U+8U ); /* first_slot + num */
+      /* https://github.com/anza-xyz/agave/blob/bff4df9cf6f41520a26c9838ee3d4d8c024a96a1/gossip/src/epoch_slots.rs#L79-L86*/
+      CHECK_LEFT( 8U ); ulong first_slot = FD_LOAD( ulong, CURSOR )                            ; INC(  8U );
+      CHECK_LEFT( 8U ); ulong num        = FD_LOAD( ulong, CURSOR )                            ; INC(  8U );
+      CHECK( first_slot<MAX_SLOT );
+      CHECK( num<=MAX_SLOTS_PER_EPOCH_SLOT );
+
       CHECK_LEFT( 8U ); ulong compressed_len = FD_LOAD( ulong, CURSOR )                        ; INC(  8U );
       CHECKED_INC( compressed_len ); /* compressed bitvec */
     }
diff --git a/src/flamenco/gossip/fd_gossip_private.h b/src/flamenco/gossip/fd_gossip_private.h
@@ -192,6 +192,7 @@ struct fd_gossip_view_vote {
 
 typedef struct fd_gossip_view_vote fd_gossip_view_vote_t;
 
+#define FD_GOSSIP_EPOCH_SLOTS_IDX_MAX (255U)
 struct fd_gossip_view_epoch_slots {
   uchar  index;
 };
