Merge pull request #11079 from filecoin-project/11053-decoderlp-panic

fix: DecodeRLP can panic
filecoin-project · Jul 15, 2023 · 23d705e · 23d705e
2 parents 03078cd + 871d1ba
commit 23d705e
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/chain/types/ethtypes/rlp.go b/chain/types/ethtypes/rlp.go
@@ -157,6 +157,9 @@ func decodeLength(data []byte, lenInBytes int) (length int, err error) {
 	if err := binary.Read(r, binary.BigEndian, &decodedLength); err != nil {
 		return 0, xerrors.Errorf("invalid rlp data: cannot parse string length: %w", err)
 	}
+	if decodedLength < 0 {
+		return 0, xerrors.Errorf("invalid rlp data: negative string length")
+	}
 	if lenInBytes+int(decodedLength) > len(data) {
 		return 0, xerrors.Errorf("invalid rlp data: out of bound while parsing list")
 	}

diff --git a/chain/types/ethtypes/rlp_test.go b/chain/types/ethtypes/rlp_test.go
@@ -143,6 +143,19 @@ func TestDecodeList(t *testing.T) {
 	}
 }
 
+func TestDecodeNegativeLength(t *testing.T) {
+	testcases := [][]byte{
+		mustDecodeHex("0xbfffffffffffffff0041424344"),
+		mustDecodeHex("0xc1bFFF1111111111111111"),
+		mustDecodeHex("0xbFFF11111111111111"),
+	}
+
+	for _, tc := range testcases {
+		_, err := DecodeRLP(tc)
+		require.Error(t, err, "invalid rlp data: negative string length")
+	}
+}
+
 func TestDecodeEncodeTx(t *testing.T) {
 	testcases := [][]byte{
 		mustDecodeHex("0xdc82013a0185012a05f2008504a817c8008080872386f26fc1000000c0"),