Comments (12)
Your example malicious payload has 11 elements, but the we decode only up to 10 elements, due to the buffer having a length of 10. Do you have an example that leads to a panic?
Though, even if a panic cannot be triggered, it might still make sense to change the code for clarity.
from rust-multihash.
Your example malicious payload has 11 elements, but the we decode only up to 10 elements, due to the buffer having a length of 10. Do you have an example that leads to a panic?
Sure, let me give you another example, all the details should be visible in the screenshots.
from rust-multihash.
I've tried:
#[test]
fn decode_overflow() {
let data = [203, 155, 0, 0, 0, 5, 67];
let result = read_u64(&data[..]);
println!("result: {:?}", result);
}
Just as your error message, it returns an error that it's not minimal, but it does not panic. What am I missing?
from rust-multihash.
Just as your error message, it returns an error that it's not minimal, but it does not panic. What am I missing?
Put in your Cargo.toml:
[dependencies]
multihash = { version = "0.18.0", git="https://github.com/multiformats/rust-multihash", default-features = false, features = [ "multihash-impl", "sha2"] }
Because this function will have a different behaviour if you have std
in the features (because of #[cfg(not(feature = "std"))]
), so ensure std is not on the features.
from rust-multihash.
We have also run into panics on this line with a NotMinimal encoding error. We are also using a Substrate, no-std environment.
Any chance this fix will get merged in the near future?
from rust-multihash.
We have also run into panics on this line with a NotMinimal encoding error.
That is an error and not a panic, isn't it?
I cannot reproduce the panic. If you can reproduce the panic, please provide a unit test for it.
from rust-multihash.
from rust-multihash.
The NotMinimal error triggers a panic when it hits unwrap().
Oh sorry, it took me a long time to understand all that. So the problem is that you have a non-minimal encoded varint. That varint is then decoded and returns a NotMinimal
error. As we call unwrap()
, it leads to a panic.
Let me try if I create a unit test triggering that, now that I've understood the issue.
from rust-multihash.
Alright, I now know why I wasn't able to reproduce it. The tests have std
enabled (even with --no-default-features
), hence it wasn't triggering the code path that contains the issue. On current master --no-default-features
works as expected.
from rust-multihash.
I've created pull requests for
from rust-multihash.
I've released the fix as 0.18.1. It's also fixed on master and will be included in the next minor release.
from rust-multihash.
from rust-multihash.
Related Issues (20)
- Implement ripemd160 HOT 3
- CI tries to run `fmt` with unstable feature and will always fail HOT 2
- Nix build is currently broken HOT 3
- Maintain a CHANGELOG.md HOT 3
- Let's make fewer breaking changes HOT 14
- Replace or Upgrade Tarpaulin Code Coverage HOT 2
- Split crate into `multihash`, `multihash-codetable` and `multihash-derive` HOT 5
- Tracking issue: Polish and stabilize the API HOT 5
- Use `sha1` dependency instead of `sha-1`
- Consider removing `MultihashDigest` and `Hasher` traits
- Write docs for transition to new crate structure HOT 6
- Parity Codec bumps MSRV to `1.64.0` HOT 4
- Add `cargo semver-checks` to CI to ensure we don't break the API accidentially HOT 1
- Add Sha3 SHAKE* HOT 12
- Only enforce MSRV if no features are activated
- Release 0.19 HOT 8
- multihash const constructors unusable HOT 5
- Redesign multihash::Error
- regression serde feature does not work with no-std
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rust-multihash.