consenus/PeerState: SetHasProposal could be exploited by a malicious peer to crash node since common.BitArray doesn't catch negative lengths before makeslice

[odeke-em]

I was just auditing the code to check for how a peer could take down all it's peers in one take and I found a way. By broadcasting to all of them a Proposal of a blockstate with a Total <= -127 a malicious peer can take down all of it's peers because:

tendermint/consensus/reactor.go

Lines 241 to 249 in c8a2bdf

	case DataChannel:
	if conR.FastSync() {
	conR.Logger.Info("Ignoring message received during fastSync", "msg", msg)
	return
	}
	switch msg := msg.(type) {
	case *ProposalMessage:
	ps.SetHasProposal(msg.Proposal)
	conR.conS.peerMsgQueue <- msgInfo{msg, src.ID()}

tendermint/consensus/reactor.go

Line 887 in c8a2bdf

ps.ProposalBlockParts = cmn.NewBitArray(proposal.BlockPartsHeader.Total)

but then see the code in tendermint/tmlibs/common.NewBitArray https://github.com/tendermint/tmlibs/blob/1b9b5652a199ab0be2e781393fb275b66377309d/common/bit_array.go#L16-L25

and notice the line https://github.com/tendermint/tmlibs/blob/1b9b5652a199ab0be2e781393fb275b66377309d/common/bit_array.go#L18-L20

Which will then crash with

panic: runtime error: makeslice: len out of range [recovered]
	panic: runtime error: makeslice: len out of range

goroutine 20 [running]:
testing.tRunner.func1(0xc0001560f0)

[odeke-em]

I've filed tendermint/tmlibs#169

[ebuchman]

Awesome find. More of this please :P :D 💃 🥇 💯

[ebuchman]

I bet there's a lot more danger lurking in that consensus.Receive function!!

[odeke-em]

Roger that, thanks @ebuchman. For sure, I'll be inspecting it more. Addressed by tendermint/tmlibs#170, let's update the dependencies.