Input values are not sanitized after they are deserialized, making it far too easy for Leo to earn SOL (#9706)

* sanitize gossip protocol messages * sanitize transactions * crds protocol sanitize
2020-04-27 11:06:00 -07:00
parent c372a39dd3
commit 8ef097bf6f
13 changed files with 333 additions and 31 deletions
--- a/runtime/src/bank.rs
+++ b/runtime/src/bank.rs
@ -45,6 +45,7 @@ use solana_sdk::{
    inflation::Inflation,
    native_loader, nonce,
    pubkey::Pubkey,
+    sanitize::Sanitize,
    signature::{Keypair, Signature},
    slot_hashes::SlotHashes,
    slot_history::SlotHistory,
@ -1077,7 +1078,7 @@ impl Bank {
        OrderedIterator::new(txs, iteration_order)
            .zip(lock_results)
            .map(|(tx, lock_res)| {
-                if lock_res.is_ok() && !tx.verify_refs() {
+                if lock_res.is_ok() && tx.sanitize().is_err() {
                    error_counters.invalid_account_index += 1;
                    Err(TransactionError::InvalidAccountIndex)
                } else {
--- a/runtime/src/bloom.rs
+++ b/runtime/src/bloom.rs
@ -19,6 +19,8 @@ pub struct Bloom<T: BloomHashIndex> {
    _phantom: PhantomData<T>,
 }

+impl<T: BloomHashIndex> solana_sdk::sanitize::Sanitize for Bloom<T> {}
+
 impl<T: BloomHashIndex> Bloom<T> {
    pub fn new(num_bits: usize, keys: Vec<u64>) -> Self {
        let bits = BitVec::new_fill(false, num_bits as u64);