You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This fixes a DoS variant of GHSA-h9hm-m2xj-4rq9 where malformed nonempty FindBlocks responses could poison sync state. For example, a response shaped like [unknown, known, random] could cause the node to enqueue known hashes and then cancel future downloads when the known block download failed.
This PR cleanly ports the original Zebra fix onto Zakura's security-ports branch.
Solution
Validate legacy discovery hash responses before mutating download state.
Reject duplicate hashes, known hashes after the first unknown hash, locator echoes in advertised suffixes, and nonproductive shapes such as [R].
Apply validation in both tip discovery and extension-building paths.
Add regression coverage for malformed discovery and extension responses.
Update Zakura's newer checkpoint-refill regression test for the additional validation state queries introduced by the port.
AI tools were used: Cursor GPT-5.6 Sol ported the original commit, reconciled its validation requests with Zakura's checkpoint-refill regression test, and ran verification.
PR Checklist
The PR title follows conventional commits format: type(scope): description.
The PR follows the contribution guidelines.
This change was previously discussed and approved in the original PR linked above.
The solution is tested.
Documentation and changelogs are up to date; no additional changes are needed for this direct security port.
The new FindBlocks validation rejects non-empty peer responses locally, but peer accountability still treats every non-empty BlockHashes response as successful. A malicious peer can return hashes containing a duplicate or a known hash after the first unknown; first_unknown_in_find_blocks_response returns Ok(None) and obtain_tips skips that response without adding any hashes to the download set. The peer-set wrapper has already classified the same non-empty response as StallOutcome::Clear, and drain_stall_events clears that peer's stall counter instead of disconnecting it. If the peers selected by the three-way fanout are malicious or the node is eclipsed, each obtain round can produce no usable tips while the existing FindBlocks stall protection is bypassed.
The new validation paths perform a KnownBlock state-service lookup for attacker-controlled hashes without first enforcing the syncer's 500-hash expectation. In obtain_tips, first_unknown_in_find_blocks_response checks the state for each hash until the first unknown and then for every later hash to reject known suffixes. In build_extend, the diff clones the state service into the background extension future and validate_extend_find_blocks_response calls state_contains_service for every returned unknown hash after stripping only the trailing hash. The classic network connection forwards all block inventory entries in a FindBlocksinv as Response::BlockHashes, and received inventory messages are bounded by the much larger 50,000-item protocol cap, so a malicious peer can force tens of thousands of negative state lookups per response.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
This fixes a DoS variant of GHSA-h9hm-m2xj-4rq9 where malformed nonempty
FindBlocksresponses could poison sync state. For example, a response shaped like[unknown, known, random]could cause the node to enqueue known hashes and then cancel future downloads when the known block download failed.This PR cleanly ports the original Zebra fix onto Zakura's
security-portsbranch.Solution
[R].Tests
cargo fmt --all -- --checkcargo clippy --workspace --all-targets -- -D warningscargo test -p zakura components::sync(59 passed)Specifications & References
valargroup/zebra:codex/sync-discovery-validationabebf4e06d967a287a44e5b168a4acc1e84dfdbaFollow-up Work
None.
AI Disclosure
PR Checklist
type(scope): description.