Input values are not sanitized after they are deserialized, making it far too easy for Leo to earn SOL (#9706)

* sanitize gossip protocol messages * sanitize transactions * crds protocol sanitize
2020-04-27 11:06:00 -07:00
parent c372a39dd3
commit 8ef097bf6f
13 changed files with 333 additions and 31 deletions
--- a/sdk/src/message.rs
+++ b/sdk/src/message.rs
@@ -1,5 +1,6 @@
 //! A library for generating a message from a sequence of instructions

+use crate::sanitize::{Sanitize, SanitizeError};
 use crate::{
    hash::Hash,
    instruction::{AccountMeta, CompiledInstruction, Instruction},
@@ -162,6 +163,31 @@ pub struct Message {
    pub instructions: Vec<CompiledInstruction>,
 }

+impl Sanitize for Message {
+    fn sanitize(&self) -> std::result::Result<(), SanitizeError> {
+        if self.header.num_required_signatures as usize > self.account_keys.len() {
+            return Err(SanitizeError::IndexOutOfBounds);
+        }
+        if self.header.num_readonly_unsigned_accounts as usize
+            + self.header.num_readonly_signed_accounts as usize
+            > self.account_keys.len()
+        {
+            return Err(SanitizeError::IndexOutOfBounds);
+        }
+        for ci in &self.instructions {
+            if ci.program_id_index as usize >= self.account_keys.len() {
+                return Err(SanitizeError::IndexOutOfBounds);
+            }
+            for ai in &ci.accounts {
+                if *ai as usize >= self.account_keys.len() {
+                    return Err(SanitizeError::IndexOutOfBounds);
+                }
+            }
+        }
+        Ok(())
+    }
+}
+
 impl Message {
    pub fn new_with_compiled_instructions(
        num_required_signatures: u8,