Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[R4R] security patch from go-ethereum #63

Merged
merged 8 commits into from
Jan 11, 2021
Merged

[R4R] security patch from go-ethereum #63

merged 8 commits into from
Jan 11, 2021

Conversation

unclezoro
Copy link
Collaborator

@unclezoro unclezoro commented Jan 11, 2021

Description

BSC001: Integer Overflow when generating ethash dataset
It is fixed on go-ethereum: ethereum/go-ethereum#21793

BSC002: AES GCM return value improper validation possibly leading to Denial of Service
It is fixed on go-ethereum: ethereum/go-ethereum#21379

BSC003: Off-by-one error in queuing a batch of transactions
It is fixed on go-ethereum: ethereum/go-ethereum#21683

BSC004: DoEstimateGas improper validation possibly leading to Denial of Service
It is fixed on go-ethereum: ethereum/go-ethereum#21601

BSC005: Missing validation after unmarshalling RPC JSON message
It is fixed on go-ethereum: ethereum/go-ethereum#21497

BSC006: Type Confusion when handling a dynamic type variable
It is fixed on go-ethereum: ethereum/go-ethereum#21501

BSC011: Denial of Service due to improper validation on network addresses
It is fixed in go-ethereum: ethereum/go-ethereum#21981

BSC012: Deadlock by race possibly leading to resource exhaust
It is fixed in go-ethereum: ethereum/go-ethereum#21858

Rationale

tell us why we need these changes...

Example

add an example CLI or API response...

Changes

Notable changes:

  • add each change in a bullet point here
  • ...

Preflight checks

  • build passed (make build)
  • tests passed (make test)
  • manual transaction test passed

Already reviewed by

...

Related issues

... reference related issue #'s here ...

slavikus and others added 8 commits January 11, 2021 11:20
* Bit boundary fix for the DAG generation routine

* Fix unnecessary conversion warnings

Co-authored-by: Sergey Pavlov <[email protected]>
…1601)

* tried to fix

* fix for js api

* fix for nil pointer ex

* rev space

* rev space

* input call formatter
* accounts/abi: fix a bug in getTypeSize method

e.g. for "Tuple[2]" type, the element of the array is a tuple type and the size of the tuple may not be 32.

* accounts/abi: add unit test of getTypeSize method
The database panicked for invalid IPs. This is usually no problem
because all code paths leading to node DB access verify the IP, but it's
dangerous because improper validation can turn this panic into a DoS
vulnerability. The quick fix here is to just turn database accesses
using invalid IP into a noop. This isn't great, but I'm planning to
remove the node DB for discv5 long-term, so it should be fine to have
this quick fix for half a year.

Fixes #21849
This fixes a deadlock that could occur when a response packet arrived
after a call had already received enough responses and was about to
signal completion to the dispatch loop.

Co-authored-by: Felix Lange <[email protected]>
@unclezoro unclezoro changed the title [WIP]Secure patch [R4R] security patch from go-ethereum Jan 11, 2021
@unclezoro unclezoro merged commit b605f1f into master Jan 11, 2021
@unclezoro unclezoro deleted the secure_patch branch January 18, 2021 12:26
@unclezoro unclezoro mentioned this pull request Jan 19, 2021
3 tasks
pythonberg1997 pushed a commit to pythonberg1997/bsc that referenced this pull request Mar 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants