From 990b5a0bade9c22a93b95af265027f2fa351c271 Mon Sep 17 00:00:00 2001 From: Aayush Date: Mon, 17 Jul 2023 14:33:26 -0400 Subject: [PATCH] fix: ethtypes: handle length overflow case --- chain/types/ethtypes/rlp.go | 6 ++++-- chain/types/ethtypes/rlp_test.go | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/chain/types/ethtypes/rlp.go b/chain/types/ethtypes/rlp.go index 7943cba11c6..15cee4a22a9 100644 --- a/chain/types/ethtypes/rlp.go +++ b/chain/types/ethtypes/rlp.go @@ -134,7 +134,7 @@ func decodeRLP(data []byte) (res interface{}, consumed int, err error) { return nil, 0, err } totalLen := 1 + strLenInBytes + strLen - if totalLen > len(data) { + if totalLen > len(data) || totalLen < 0 { return nil, 0, xerrors.Errorf("invalid rlp data: out of bound while parsing string") } return data[1+strLenInBytes : totalLen], totalLen, nil @@ -160,7 +160,9 @@ func decodeLength(data []byte, lenInBytes int) (length int, err error) { if decodedLength < 0 { return 0, xerrors.Errorf("invalid rlp data: negative string length") } - if lenInBytes+int(decodedLength) > len(data) { + + totalLength := lenInBytes + int(decodedLength) + if totalLength < 0 || totalLength > len(data) { return 0, xerrors.Errorf("invalid rlp data: out of bound while parsing list") } return int(decodedLength), nil diff --git a/chain/types/ethtypes/rlp_test.go b/chain/types/ethtypes/rlp_test.go index 58f7e417885..0ce6e15d926 100644 --- a/chain/types/ethtypes/rlp_test.go +++ b/chain/types/ethtypes/rlp_test.go @@ -148,11 +148,12 @@ func TestDecodeNegativeLength(t *testing.T) { mustDecodeHex("0xbfffffffffffffff0041424344"), mustDecodeHex("0xc1bFFF1111111111111111"), mustDecodeHex("0xbFFF11111111111111"), + mustDecodeHex("0xbf7fffffffffffffff41424344"), } for _, tc := range testcases { _, err := DecodeRLP(tc) - require.Error(t, err, "invalid rlp data: negative string length") + require.ErrorContains(t, err, "invalid rlp data") } }