consensus: check proposal block size is valid on receiving it

[cmwaters]

Summary

Validators should ensure that block size should not exceed MaxBytes defined in the consensus params

Problem Definition

This check was originally in place but was unfortunately inadvertently removed when migrating to protobuf. There is logic on the proposer side to ensure that the block is of the correct size but if the proposer were to bypass it, it allows them to create blocks of any size where the other validators would approve of it. This only applies for 0.34.

As a side note we should also check to make sure that none of the other validation logic was affected by the protobuf migration.

Proposal

Reimplement the check here:

tendermint/consensus/state.go

Lines 1782 to 1792 in 99aea7b

	if added && cs.ProposalBlockParts.IsComplete() {
	bz, err := ioutil.ReadAll(cs.ProposalBlockParts.GetReader())
	if err != nil {
	return added, err
	}
	var pbb = new(tmproto.Block)
	err = proto.Unmarshal(bz, pbb)
	if err != nil {
	return added, err
	}
	block, err := types.BlockFromProto(pbb)

---

For Admin Use

• Not duplicate issue
• Appropriate labels applied
• Appropriate contributors tagged
• Contributor assigned/self-assigned

[melekes]

As a side note we should also check to make sure that none of the other validation logic was affected by the protobuf migration.

Other than consensus/state, UnmarshalBinaryLengthPrefixedReader was used in p2p/connection, secret_connection and privval. All now use protoio.DelimitedReader, which seem to be correct.

[erikgrinaker]

Good catch Callum!

I remember working on something related. I'm not really sure why this used length-prefixing originally - this is typically only used for message framing on the wire, which is why it's still in use e.g. in p2p, secret conn, and privval. However, length-prefixing individual messages doesn't really make sense since the message is presumably already demarcated as a byte slice (or in this case, a slice of byte slices) so its length is known.

I haven't looked into the details here, but shouldn't this validation happen before we even accept the part, to avoid the partset growing without bound?

[cmwaters]

I haven't looked into the details here, but shouldn't this validation happen before we even accept the part, to avoid the partset growing without bound?

Yeah you're right, we should keep a tally and check it as each part is received

[tac0turtle]

I haven't looked into the details here, but shouldn't this validation happen before we even accept the part, to avoid the partset growing without bound?

Yeah you're right, we should keep a tally and check it as each part is received

This does seem to already be present here:

tendermint/consensus/reactor.go

Line 32 in 58b4dec

maxMsgSize = 1048576 // 1MB; NOTE/TODO: keep in sync with types.PartSet sizes.

[erikgrinaker]

Won't that just limit the size of each part, not of the total part set? (haven't looked at the code here at all, so I may be missing something)

[tac0turtle]

Won't that just limit the size of each part, not of the total part set? (haven't looked at the code here at all, so I may be missing something)

Correct, it would not limit the block size when decoded. So a check would be needed on the size of a block. I don't think length prefixing of the block is needed here, will bleed into state storage, but could be wrong.

[cmwaters]

So just to summarize things:

• We already have a check that the part size doesn't exceed the msg size.

• But we still need to check the block size (the total of all the parts) and we should do this by keeping a byte sum that we update when each part is received. At any point, if this sum exceeds the consensus param MaxBytes we then return an error and thus the validator prevotes and precommits nil