Skip to content

fix: P2P message deserialization and packet size hardening#82

Open
R0BC0D3R wants to merge 2 commits into
masterfrom
fix/security-p2p-hardening
Open

fix: P2P message deserialization and packet size hardening#82
R0BC0D3R wants to merge 2 commits into
masterfrom
fix/security-p2p-hardening

Conversation

@R0BC0D3R
Copy link
Copy Markdown
Member

@R0BC0D3R R0BC0D3R commented May 15, 2026

Summary

Backports upstream Monero security mitigations for P2P denial-of-service
attack vectors. Changes are split into two areas:

Portable storage deserialization limits (epee)

  • Adds a global object field counter (m_fields) separate from the object
    count, capped at 262,144 fields per message
  • Rejects duplicate keys within a section
  • Rejects unnamed section entries (zero-length key)
  • Bounds-checks section arrays against the per-message object limit

Levin protocol packet size controls

  • New connections are limited to 256 KiB until the P2P handshake completes,
    then upgraded to the full 100 MB cap
  • Per-command byte limits are set on each new connection (e.g. 4 KiB for
    PING/support-flags, 64 KiB for handshake/timed-sync, 128 MiB for
    block and transaction responses)
  • Transaction flood notifications are skipped for peers that have not yet
    completed the handshake

Test plan

  • Daemon starts and forms peer connections without packet-size warnings
  • Blockchain sync proceeds normally
  • Transaction send/receive works correctly
  • No regressions in peer connectivity or mining

R0BC0D3R added 2 commits May 15, 2026 13:38
@R0BC0D3R
fix: harden epee portable storage against malformed P2P input
2f039b4 
Ports several defensive checks from Monero v0.17.1.8-1.9 added in
response to an active memory exhaustion attack on the network (Dec 2020).

- Reject duplicate keys in epee binary deserialization
- Reject unnamed sections on read, write, and insert
- Track section objects and fields with separate counters and tighter
  limits (65536 objects, 262144 fields) to bound memory allocation
- Add per-object limit check when deserializing section arrays

Port of Monero commits f0b867b, cb296b3, 53106985, 0add7ec1.
@R0BC0D3R
fix: enforce pre-handshake packet limits and per-command message size…
0e11813 
… caps

Connections start at a 256 KiB receive limit, upgraded to 100 MB once
the P2P handshake completes. Per-command byte limits are registered on
new connections (e.g. 4 KiB for PING, 128 MiB for block/tx responses).
Transaction flooding is also restricted to fully handshaked peers.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 15, 2026

Build Artifacts

Target Status Download
nerva-linux-armv7 Download
nerva-linux-armv8 Download
nerva-windows-x32 Download
nerva-linux-i686 Download
nerva-windows-x64 Download
nerva-linux-x86_64 Download
nerva-macos-x64 Download
nerva-macos-armv8 Download
nerva-freebsd-x86_64 Download
nerva-android-armv8 Download

10 succeeded, 0 failed | View workflow run

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ngeojiajun ngeojiajun ngeojiajun approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@R0BC0D3R @ngeojiajun