Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Node should validate incoming SAF messages #3410

Closed
SWvheerden opened this issue Oct 4, 2021 · 1 comment
Closed

Node should validate incoming SAF messages #3410

SWvheerden opened this issue Oct 4, 2021 · 1 comment

Comments

@SWvheerden
Copy link
Collaborator

A node should verify all incoming SAF messages if they are legit by either, or:

  • Checking if they come from a nearby neighbor and request others
  • OR preferably only accepting incoming SAF messages if it requested such messages.

By not checking these messages, it allows a malicious actor to control what the node downloads by preemptively forwarding messages to it. If SAF message can be used to "break" the node, it allows an attacker to kill a node by simply sending a message to it.
@sdbondi sdbondi mentioned this issue Oct 11, 2021
Merged
aviator-app bot pushed a commit that referenced this issue Oct 24, 2021
@sdbondi
fix: check SAF message inflight and check stored_at is in past (#3444)
fbf8eb8 
Description
---
- Keeps track of inflight SAF requests and only accepts responses for
  requests that are inflight
- Checks that `stored_at` is in the past
- Fixes #3412, #3410 

Motivation and Context
---
See #3412, #3410

How Has This Been Tested?
---
- New/existing unit/integration tests
- memorynet
- Manually
@sdbondi
Copy link
Member

sdbondi commented Apr 28, 2022

Fixed in #3444 - only requested SAF responses are accepted

@sdbondi sdbondi closed this as completed Apr 28, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sdbondi @SWvheerden