core/go-p2p
8
0
Fork 0
Code Issues 4 Pull requests 1 Projects Releases Packages Wiki Activity Actions 2

[security] Fix panics on malformed input + channel races in controller #6

New issue
Open
opened 2026-03-22 16:36:55 +00:00 by Virgil · 2 comments
Virgil commented 2026-03-22 16:36:55 +00:00
Member
Copy link

AX sweep findings:

  1. HIGH — Panic on malformed UEPS header fields, remote input crashes parser (reader.go:53-72)
  2. HIGH — Send-on-closed-channel panic in controller (controller.go:46, :54, :90, :107)
  3. HIGH — Nil identity dereference in keepalive path crashes transport (transport.go:805)
  4. MEDIUM — No access control on sensitive worker commands (worker.go:74-85)
  5. MEDIUM — UEPS parser memory exhaustion via oversized TLVs (reader.go:24-54)

Fix all, add tests.

AX sweep findings: 1. HIGH — Panic on malformed UEPS header fields, remote input crashes parser (reader.go:53-72) 2. HIGH — Send-on-closed-channel panic in controller (controller.go:46, :54, :90, :107) 3. HIGH — Nil identity dereference in keepalive path crashes transport (transport.go:805) 4. MEDIUM — No access control on sensitive worker commands (worker.go:74-85) 5. MEDIUM — UEPS parser memory exhaustion via oversized TLVs (reader.go:24-54) Fix all, add tests.
Virgil commented 2026-03-22 18:48:03 +00:00
Author
Member
Copy link

Codex Fix Attempt

Codex attempted fixes but could not commit (sandbox .git lock). The original findings from the issue body remain valid:

  1. HIGH — Panic on malformed UEPS headers (reader.go:53-72)
  2. HIGH — Send-on-closed-channel in controller (controller.go:46-107)
  3. HIGH — Nil identity dereference in keepalive (transport.go:805)
  4. MEDIUM — No access control on worker commands (worker.go:74-85)
  5. MEDIUM — UEPS memory exhaustion via oversized TLVs (reader.go:24-54)
## Codex Fix Attempt Codex attempted fixes but could not commit (sandbox .git lock). The original findings from the issue body remain valid: 1. HIGH — Panic on malformed UEPS headers (reader.go:53-72) 2. HIGH — Send-on-closed-channel in controller (controller.go:46-107) 3. HIGH — Nil identity dereference in keepalive (transport.go:805) 4. MEDIUM — No access control on worker commands (worker.go:74-85) 5. MEDIUM — UEPS memory exhaustion via oversized TLVs (reader.go:24-54)
Virgil commented 2026-03-23 12:04:37 +00:00
Author
Member
Copy link

Security Scan: Attack Vector Map

Entry Input Flows Into Validation Vector
ueps.ReadAndVerify (reader.go:27) Raw TLV stream Parse→HMAC→ParsedPacket 1MiB cap, HMAC required Unknown tags accepted into signed data, CPU/mem per frame
Dispatcher.Dispatch (dispatcher.go:101) Parsed UEPS packet Threat gate→handler Nil check, threat threshold Any HMAC-valid packet under threshold reaches handlers, no auth
levin.ReadPacket (connection.go:112) Raw Levin bytes Decode→allocate→ReadFull 33-byte header, sig check, 100MB cap 100MB alloc per packet = memory DoS
levin.DecodeStorage (storage.go:454) Portable-storage payload Section/value/array decode Signature/version, truncation No caps on section/array/string counts, varint → large make()
node.ReadBundle (bundle.go:354) Network bundle Bundle decode (see log for full details)

Common themes: Memory DoS via large allocations, no auth at dispatch layer, unknown extensions accepted.

## Security Scan: Attack Vector Map | Entry | Input | Flows Into | Validation | Vector | |---|---|---|---|---| | ueps.ReadAndVerify (reader.go:27) | Raw TLV stream | Parse→HMAC→ParsedPacket | 1MiB cap, HMAC required | Unknown tags accepted into signed data, CPU/mem per frame | | Dispatcher.Dispatch (dispatcher.go:101) | Parsed UEPS packet | Threat gate→handler | Nil check, threat threshold | Any HMAC-valid packet under threshold reaches handlers, no auth | | levin.ReadPacket (connection.go:112) | Raw Levin bytes | Decode→allocate→ReadFull | 33-byte header, sig check, 100MB cap | 100MB alloc per packet = memory DoS | | levin.DecodeStorage (storage.go:454) | Portable-storage payload | Section/value/array decode | Signature/version, truncation | No caps on section/array/string counts, varint → large make() | | node.ReadBundle (bundle.go:354) | Network bundle | Bundle decode | (see log for full details) | **Common themes**: Memory DoS via large allocations, no auth at dispatch layer, unknown extensions accepted.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
agent/read---spec-code-core-go-p2p-rfc-md-full
main
v0.2.2
v0.2.1
v0.2.0
v0.1.7
v0.1.6
v0.1.5
v0.1.4
v0.1.3
v0.1.2
v0.1.1
v0.1.0
v0.0.2
v0.0.1
Labels
Clear labels   
needs-review

   
needs-review

   
needs-review

   
needs-review

   
needs-review

   
needs-review
  
athena

Assign to Athena AI agent (M3 Ultra)

  
athena-gemini

Dispatch to Gemini CLI on M3 Ultra

  
audit

Code audit task

  
clotho

Assign to Clotho AI agent for processing

  
clotho-gemini

Dispatch to Gemini CLI on darbs (AU)

  
codex

Dispatch to Codex CLI on gateway for analysis

  
darbs-claude

Dispatch to Claude on darbs (AU)

  
security

Security review task

  
wiki

Documentation/wiki update

No labels
needs-review
needs-review
needs-review
needs-review
needs-review
needs-review
athena
athena-gemini
audit
clotho
clotho-gemini
codex
darbs-claude
security
wiki
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

-

Dependencies

No dependencies set.

Reference: core/go-p2p#6
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?