Skip to content

mempool: CListMempool.isFull could benefit from bullet-proofing against any integer overflows by converting to uint64 before additions #2445

New issue
New issue
Closed
#2498
Closed
mempool: CListMempool.isFull could benefit from bullet-proofing against any integer overflows by converting to uint64 before additions#2445
#2498
Labels
bugSomething isn't workingmempool
Milestone
2024-Q1
@odeke-em

Description

@odeke-em
odeke-em
opened on Feb 26, 2024

Bug Report

If we examine this code

cometbft/mempool/clist_mempool.go

Line 393 in 4ce0277

if memSize >= mem.config.Size || int64(txSize)+txsBytes > mem.config.MaxTxsBytes {

we see this code int64(txSize)+txsBytes > mem.config.MaxTxsBytes

and if at least txsBytes (total) is close to maxInt64 given that we don't have bounds guarantees or proper size/length calculations, any txSize will cause an overflow e.g.

txSize=int64(100) + txsBytes=9223372036854775800 -> -9223372036854775806

Suggestion

Let's take advantage of a cast to uint64 of which it would take a whole lot more of filling up the mempool to cause that overflow given that len(max) aka max(int*(64)) on 64-bit machines is maxInt64 which would firstly cause a RAM blow-up long before one can exceed maxUint64

uint64(txSize)+uint64(txsBytes) > uint64(mem.config.MaxTxsBytes)

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingmempool

    Type

    No type

    Projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions