fix: validate account count and enforce payer mutability#83
Open
fix: validate account count and enforce payer mutability#83
Conversation
Validate num_accounts from the SVM input buffer before dispatch and event handling to return NotEnoughAccountKeys instead of crashing on malformed transactions. Add compile-time check that init and realloc payers are declared writable.
⚡ CU Benchmark (Vault)
Binary size: 6,928 bytes (+40 🔴 bytes) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context
The
dispatch!macro and__handle_eventboth skip thenum_accountsu64 at the start of the SVM input buffer without ever reading it. If a transaction provides fewer accounts than the instruction expects,parse_accountswalks past the valid account data into unmapped memory and the SBF VM traps with an access violation. Not a security vulnerability (the crash is safe — no state changes, no fund loss), but a correctness issue: programs should returnNotEnoughAccountKeysinstead of crashing.Separately, there was no compile-time enforcement that payer accounts are writable. The Solana runtime catches this at execution time, but a build error is strictly better than a failed transaction on testnet.
Ref: #80 (QSR-01, QSR-04, QSR-05). QSR-02 is a compile-time-only footgun, QSR-03 is wrong (intentional SIMD-0321 entrypoint).
Changes
lang/src/entrypoint.rs— Readnum_accountsfrom offset 0 of the SVM buffer. Eachdispatch!match arm now checksnum_accounts >= COUNTbefore callingparse_accounts. ~2 CU cost.derive/src/program.rs—__handle_eventchecksnum_accounts > 0before dereferencing the first account for the event authority signer/address check.derive/src/accounts/fields.rs—process_fieldsnow rejects at compile time if theinitorreallocpayer field is not&mutor#[account(mut)].Test plan
cargo check— cleancargo fmt— cleancargo clippy— clean