enforce max_string_size on non-strict binary message name#3609
Conversation
Code reviewThree process issues (AGENTS.md compliance); no logic defects verified.
Coverage note (UNVERIFIABLE): `must_enforce_string_size_limit_on_non_strict_message_name` tests that a 2000-byte name is rejected at a limit of 1000. There is no test for the passing side: a name of exactly 1000 bytes should be accepted (`>` not `>=`). The implementation is correct at this boundary — a two-state proof cannot be constructed (a correct-boundary test would pass on both PR and base code) — so this is recorded as a coverage suggestion only, not a verified defect. 🤖 Generated with Claude Code - If this code review was useful, please react with 👍. Otherwise, react with 👎. |
Jens-G
left a comment
There was a problem hiding this comment.
See "coverage note" above. Pls comment and/or consider improving the tests.
the rust binary protocol reader enforces the configured max_string_size everywhere it reads a length-prefixed value, except one. when read_message_begin handles a non-strict message (the legacy mode kept for senders that don't write the protocol-version header) it takes the leading four bytes as the name length and allocates the name buffer straight from that wire value, skipping the check that read_bytes and read_string both apply. the value is attacker-controlled, so a peer talking to a server in non-strict mode can make a four-byte length drive an allocation of up to about two gigabytes, which quietly defeats the default 100 MiB string limit for that field. i noticed it while comparing the non-strict path with read_bytes and with the compact reader, which routes its message name through read_string and so stays bounded. the fix runs the name length through the same max_string_size check before allocating and returns a SizeLimit error otherwise. i kept it inside read_message_begin so the rest of the path is unchanged, and added a regression test beside the existing string-limit ones.
[skip ci]anywhere in the commit message to free up build resources.