Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(net): Limit the number of leftover nonces in the self-connection nonce set #6534

Merged
merged 6 commits into from
Apr 18, 2023
Merged

fix(net): Limit the number of leftover nonces in the self-connection nonce set #6534

merged 6 commits into from
Apr 18, 2023

Conversation

teor2345
Copy link
Contributor

Motivation

This PR prevents a memory exhaustion attack on Zebra.

It also limits the inbound connection rate to make similar attacks harder in future.

Complex Code or Requirements

This PR modifies concurrent network handshake code, where futures run concurrently.
It also adds more code to a futures mutex critical section.

It has already been reviewed privately by two Zebra developers.

Solution

  • Limit the number of nonces in the nonce set to 500 or 8 kB the configured connection limit
  • Limit the inbound connection rate to 1 per second
  • Slightly decrease the outbound connection rate to one every 50 milliseconds

Review

This is ready for review. It needs to get merged before the next Zebra release.

Reviewer Checklist

  • Will the PR name make sense to users?
    • Does it need extra CHANGELOG info? (new features, breaking changes, large changes)
  • Are the PR labels correct?
  • Does the code do what the ticket and PR says?
    • Does it change concurrent code, unsafe code, or consensus rules?
  • How do you know it works? Does it have tests?

@teor2345 teor2345 requested a review from a team as a code owner April 18, 2023 02:08
@teor2345 teor2345 requested review from upbqdn and removed request for a team April 18, 2023 02:08
@teor2345 teor2345 self-assigned this Apr 18, 2023
@github-actions github-actions bot added the C-bug Category: This is a bug label Apr 18, 2023
@teor2345 teor2345 added C-security Category: Security issues I-heavy Problems with excessive memory, disk, or CPU usage I-slow Problems with performance or responsiveness A-network Area: Network protocol updates or fixes A-concurrency Area: Async code, needs extra work to make it work properly. P-High 🔥 I-remote-trigger Remote nodes can make Zebra do something bad and removed I-slow Problems with performance or responsiveness labels Apr 18, 2023
@arya2
Copy link
Contributor

arya2 commented Apr 18, 2023

Is there a commit missing here?

arya2
arya2 previously approved these changes Apr 18, 2023
View reviewed changes
@teor2345 teor2345 mentioned this pull request Apr 18, 2023
Closed
@codecov
Copy link

codecov bot commented Apr 18, 2023
edited
Loading

Codecov Report

Merging #6534 (92bf9e3) into main (2e434b0) will increase coverage by 0.10%.
The diff coverage is 96.87%.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #6534      +/-   ##
==========================================
+ Coverage   77.68%   77.78%   +0.10%     
==========================================
  Files         305      306       +1     
  Lines       40104    40236     +132     
==========================================
+ Hits        31154    31298     +144     
+ Misses       8950     8938      -12

@arya2 @teor2345
Tests that the number of nonces is limited (#37)
92bf9e3 
* Tests that the number of nonces is limited

* removes unused constant

* test that it reaches the nonce limit
@teor2345
Copy link
Contributor Author

Is there a commit missing here?

Thanks for catching that, I forgot to fetch your tests before pushing the branch!

mergify bot added a commit that referenced this pull request Apr 18, 2023
@mergify
Merge of #6534
272ca35
@mergify mergify bot mentioned this pull request Apr 18, 2023
Closed
@mergify mergify bot merged commit 0d50d97 into main Apr 18, 2023
@mergify mergify bot deleted the private-nonce-mem-fix branch April 18, 2023 08:13
@teor2345 teor2345 mentioned this pull request Apr 18, 2023
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arya2 arya2 arya2 approved these changes

@upbqdn upbqdn Awaiting requested review from upbqdn upbqdn is a code owner automatically assigned from ZcashFoundation/network-reviewers

Assignees

@teor2345 teor2345

Labels
A-concurrency Area: Async code, needs extra work to make it work properly. A-network Area: Network protocol updates or fixes C-bug Category: This is a bug C-security Category: Security issues I-heavy Problems with excessive memory, disk, or CPU usage I-remote-trigger Remote nodes can make Zebra do something bad
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@teor2345 @arya2