Summary
Hello developers!
We are conducting differential testing on CL clients. In our testing, we found that Lighthouse, Prysm, Lodestar, Nimbus, and Grandine accept Ping requests containing trailing garbage bytes after the valid SSZ-snappy payload, while the spec requires rejection with INVALID_REQUEST.
Spec reference (Phase0 p2p-interface.md):
A reader MUST consider the following cases as invalid input:
- Any remaining bytes, after having read the
n SSZ bytes.
In case of an invalid input (header or payload), a reader MUST:
- From requests: send back an error message, response code
InvalidRequest.
What happens
Wire: [varint(8)] [snappy(uint64_le(1))] [0xDE 0xAD ... 16 garbage bytes]
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Spec says: MUST reject as invalid
Lighthouse, Prysm, Lodestar, Nimbus, and Grandine read n bytes declared in the varint header, decode the Ping payload, return SUCCESS, then close the stream. But the spec requires to treat this as InvalidRequest.
Results
| Client |
Response |
Spec Compliant |
| Teku |
INVALID_REQUEST |
YES |
| Grandine |
SUCCESS |
NO |
| Lighthouse |
SUCCESS |
NO |
| Lodestar |
SUCCESS |
NO |
| Nimbus |
SUCCESS |
NO |
| Prysm |
SUCCESS |
NO |
To Reproduce
Please check this link to reproduce with kurtosis.
Thanks for your attention!
Summary
Hello developers!
We are conducting differential testing on CL clients. In our testing, we found that Lighthouse, Prysm, Lodestar, Nimbus, and Grandine accept
Pingrequests containing trailing garbage bytes after the valid SSZ-snappy payload, while the spec requires rejection withINVALID_REQUEST.Spec reference (Phase0
p2p-interface.md):What happens
Lighthouse, Prysm, Lodestar, Nimbus, and Grandine read
nbytes declared in the varint header, decode the Ping payload, returnSUCCESS, then close the stream. But the spec requires to treat this asInvalidRequest.Results
To Reproduce
Please check this link to reproduce with kurtosis.
Thanks for your attention!