gossip: sanitizers for published types (lowest_slot, vote, duplicate_shred, snapshot_hashes)

ravyu-jump · ravyu-jump · commit 75ae28fd81bb · 2025-09-24T15:40:08.000Z
diff --git a/src/flamenco/gossip/fd_gossip_msg_parse.c b/src/flamenco/gossip/fd_gossip_msg_parse.c
@@ -3,6 +3,17 @@
 
 /* https://github.com/anza-xyz/agave/blob/bff4df9cf6f41520a26c9838ee3d4d8c024a96a1/gossip/src/crds_data.rs#L22-L23 */
 #define WALLCLOCK_MAX_MILLIS (1000000000000000UL)
+#define MAX_SLOT             (1000000000000000UL)
+
+/* https://github.com/anza-xyz/agave/blob/master/gossip/src/epoch_slots.rs#L15 */
+#define MAX_SLOTS_PER_EPOCH_SLOT (2048UL*8UL)
+
+struct __attribute__((packed)) slot_hash_pair {
+  ulong slot;
+  uchar hash[ 32UL ];
+};
+
+typedef struct slot_hash_pair slot_hash_pair_t;
 
 /* Adapted from fd_txn_parse.c */
 #define CHECK_INIT( payload, payload_sz, offset )   \
@@ -162,6 +173,8 @@ fd_gossip_msg_crds_vote_parse( fd_gossip_view_crds_value_t * crds_val,
                                ulong                         start_offset ) {
   CHECK_INIT( payload, payload_sz, start_offset );
   CHECK_LEFT(  1U ); crds_val->vote->index = FD_LOAD( uchar, CURSOR )                           ; INC(  1U );
+  /* https://github.com/anza-xyz/agave/blob/bff4df9cf6f41520a26c9838ee3d4d8c024a96a1/gossip/src/crds_data.rs#L67-L107 */
+  CHECK( crds_val->vote->index<FD_GOSSIP_VOTE_IDX_MAX );
   CHECK_LEFT( 32U ); crds_val->pubkey_off  = CUR_OFFSET                                         ; INC( 32U );
   ulong transaction_sz;
   CHECK( fd_txn_parse_core( CURSOR, BYTES_REMAINING, NULL, NULL, &transaction_sz )!=0UL );
@@ -178,7 +191,10 @@ fd_gossip_msg_crds_lowest_slot_parse( fd_gossip_view_crds_value_t * crds_val,
                                       ulong                         payload_sz,
                                       ulong                         start_offset ) {
   CHECK_INIT( payload, payload_sz, start_offset );
-  CHECKED_INC( 1U ); /* deprecated */
+  CHECK_LEFT( 1U ); uchar ix = FD_LOAD( uchar, CURSOR )                                         ; INC( 1U );
+  /* https://github.com/anza-xyz/agave/blob/bff4df9cf6f41520a26c9838ee3d4d8c024a96a1/gossip/src/crds_data.rs#L67-L107 */
+  CHECK( !ix );
+
   CHECK_LEFT( 32U ); crds_val->pubkey_off = CUR_OFFSET                                          ; INC( 32U );
 
   CHECKED_INC( 8U ); /* root: deprecated */
@@ -295,12 +311,16 @@ fd_gossip_msg_crds_duplicate_shred_parse( fd_gossip_view_crds_value_t * crds_val
   CHECK_INIT( payload, payload_sz, start_offset );
 
   CHECK_LEFT(            2U ); ds->index = FD_LOAD( ushort, CURSOR )                                      ; INC(            2U );
+  /* https://github.com/anza-xyz/agave/blob/bff4df9cf6f41520a26c9838ee3d4d8c024a96a1/gossip/src/crds_data.rs#L67-L107 */
+  CHECK( ds->index<FD_GOSSIP_DUPLICATE_SHRED_IDX_MAX );
   CHECK_LEFT(           32U ); crds_val->pubkey_off = CUR_OFFSET                                          ; INC(           32U );
   CHECKED_WALLCLOCK_LOAD( crds_val->wallclock_nanos );
   CHECK_LEFT(            8U ); ds->slot = FD_LOAD( ulong, CURSOR )                                        ; INC(            8U );
   CHECKED_INC(        4U+1U ); /* (unused) + shred type (unused) */
   CHECK_LEFT(            1U ); ds->num_chunks  = FD_LOAD( uchar, CURSOR )                                 ; INC(            1U );
   CHECK_LEFT(            1U ); ds->chunk_index = FD_LOAD( uchar, CURSOR )                                 ; INC(            1U );
+  /* https://github.com/anza-xyz/agave/blob/bff4df9cf6f41520a26c9838ee3d4d8c024a96a1/gossip/src/duplicate_shred.rs#L328-L336 */
+  CHECK( ds->chunk_index<ds->num_chunks );
   CHECK_LEFT(            8U ); ds->chunk_len   = FD_LOAD( ulong, CURSOR )                                 ; INC(            8U );
   CHECK_LEFT( ds->chunk_len ); ds->chunk_off   = CUR_OFFSET                                               ; INC( ds->chunk_len );
   return BYTES_CONSUMED;
@@ -315,9 +335,22 @@ fd_gossip_msg_crds_snapshot_hashes_parse( fd_gossip_view_crds_value_t * crds_val
   CHECK_LEFT(                 32U ); crds_val->pubkey_off = CUR_OFFSET                                          ; INC(                 32U );
   CHECK_LEFT(                 40U ); crds_val->snapshot_hashes->full_off = CUR_OFFSET                           ; INC(                 40U );
   CHECK_LEFT(                  8U ); ulong incremental_len = FD_LOAD( ulong, CURSOR )                           ; INC(                  8U );
+  CHECK( incremental_len<(ULONG_MAX-39U)/40U ); /* to prevent overflow in next check */
   CHECK_LEFT( incremental_len*40U ); crds_val->snapshot_hashes->inc_off = CUR_OFFSET                            ; INC( incremental_len*40U );
   CHECKED_WALLCLOCK_LOAD( crds_val->wallclock_nanos );
   crds_val->snapshot_hashes->inc_len = incremental_len;
+
+  /* https://github.com/anza-xyz/agave/blob/bff4df9cf6f41520a26c9838ee3d4d8c024a96a1/gossip/src/crds_data.rs#L265-L282 */
+  slot_hash_pair_t * full_pair = (slot_hash_pair_t *)(payload + crds_val->snapshot_hashes->full_off);
+  ulong full_slot = full_pair->slot;
+  CHECK( full_slot<MAX_SLOT );
+
+  slot_hash_pair_t * inc_pair = (slot_hash_pair_t *)(payload + crds_val->snapshot_hashes->inc_off);
+  for( ulong i=0UL; i<incremental_len; i++ ) {
+    CHECK( inc_pair[i].slot>full_slot );
+    CHECK( inc_pair[i].slot<MAX_SLOT );
+  }
+
   return BYTES_CONSUMED;
 }
 
diff --git a/src/flamenco/gossip/fd_gossip_private.h b/src/flamenco/gossip/fd_gossip_private.h
@@ -183,6 +183,7 @@ struct fd_gossip_view_node_instance {
 
 typedef struct fd_gossip_view_node_instance fd_gossip_view_node_instance_t;
 
+#define FD_GOSSIP_VOTE_IDX_MAX (32U)
 struct fd_gossip_view_vote {
   uchar  index;
   ulong  txn_sz;
@@ -197,6 +198,7 @@ struct fd_gossip_view_epoch_slots {
 
 typedef struct fd_gossip_view_epoch_slots fd_gossip_view_epoch_slots_t;
 
+#define FD_GOSSIP_DUPLICATE_SHRED_IDX_MAX (512U)
 struct fd_gossip_view_duplicate_shred {
   ushort index;
   ulong  slot;
