tendermint will crash when an evil peer send nil pubkey during handshake #4030
Description
tendermint will crash when an evil peer send nil pubkey during handshake. Because of tendermint never checks the remote pubkey is nil or not, and use it to verify signature.
Tendermint version (use tendermint version or git rev-parse --verify HEAD if installed from source): all
ABCI app (name for built-in, URL for self-written if it's publicly available):
any
Environment:
- OS (e.g. from /etc/os-release):
- Install tools:
- Others:
What happened:
tendermint crashed
What you expected to happen:
tendermint refuses to connect
Have you tried the latest version: yes
How to reproduce it (as minimally and precisely as possible):
step 1.
Change the code of p2p/conn/secret_connection.go, function shareAuthSignature.
change
var _, err1 = cdc.MarshalBinaryLengthPrefixedWriter(sc, authSigMessage{pubKey, signature})
into:
var _, err1 = cdc.MarshalBinaryLengthPrefixedWriter(sc, authSigMessage{nil, signature})
step 2. Build the evil binary and try to join any tendermint network.
step 3. All peers this evil peer try to connect will crash because of nil point error. At code
tendermint/p2p/conn/secret_connection.go
Line 136 in 8fbc625
Logs (paste a small part showing an error (< 10 lines) or link a pastebin, gist, etc. containing more of the log file):
Config (you can paste only the changes you've made):
node command runtime flags:
/dump_consensus_state output for consensus bugs
Anything else we need to know:
It can beat down the tendermint network.
This issue was originally submitted via Hackerone by fudongbai.