-
Notifications
You must be signed in to change notification settings - Fork 278
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[crash/fuzzing] "java.lang.IndexOutOfBoundsException: index (0) must be less than size (0)" during block ssz parsing #1685
Comments
The SSZ in this case is valid, but the initial state contains pending attestations where the aggregation bits size is less than the committee size. The transition subcommand doesn't do any validation on the input state so I wouldn't expect it to detect that. In a running Teku the I've tidied that up, but my reading of the fork choice spec suggests that it misses this case as well and never validates that the attestation's aggregation bits matches the committee size. |
Description
During fuzzing with beacon-fuzz, I triggered an
java.lang.IndexOutOfBoundsException: index (0) must be less than size (0)
during block SSZ parsing usingteku transition blocks
tool.** bug come from
bits.getBit(i)
line 121**Additional info
lighthouse detects this bug and returns:
Related code:
https://github.com/PegaSysEng/teku/blob/f79f65fdc23414dd08d2e0c5d93211df3fa52665/ethereum/datastructures/src/main/java/tech/pegasys/artemis/datastructures/util/AttestationUtil.java#L114-L124
Steps to Reproduce (Bug)
Download: index_less_size_oob_teku.zip
Crash:
Versions
master
openjdk version "11.0.7" 2020-04-14
Ubuntu 18.04.4 LTS
4.15.0-96-generic
The text was updated successfully, but these errors were encountered: