Skip to content

fix: RPC denial-of-service mitigations#83

Open
R0BC0D3R wants to merge 3 commits into
masterfrom
fix/security-rpc-dos
Open

fix: RPC denial-of-service mitigations#83
R0BC0D3R wants to merge 3 commits into
masterfrom
fix/security-rpc-dos

Conversation

@R0BC0D3R
Copy link
Copy Markdown
Member

@R0BC0D3R R0BC0D3R commented May 15, 2026

Summary

Backports three upstream Monero security fixes targeting RPC denial-of-service
attack vectors:

tx_extra size limit in mempool (PR #8784, v0.18.2.2)

  • Rejects mempool transactions with tx_extra exceeding 1060 bytes
  • Prevents RAM/disk exhaustion via crafted oversized extra data
  • Exempt for kept_by_block transactions to preserve sync compatibility
  • RPC minor version bumped to 3.1, new tx_extra_too_big response field

get_output_distribution DoS fix (PR #8084, v0.17.3.0)

  • Restricted RPC now rejects output distribution queries for pre-RCT
    (non-zero amount) outputs
  • Prevents expensive enumeration queries from exhausting public node resources
  • Adds missing CORE_RPC_ERROR_CODE_RESTRICTED (-14) error code

RPC input size limit (PR #8276, v0.17.3.2)

  • All RPC endpoints now reject HTTP requests exceeding 1 MB
  • Limit enforced at the epee HTTP handler level before any parsing occurs
  • Tested: oversized requests are dropped with no response

Test plan

  • Normal daemon operation, sync, and transaction send unaffected
  • RPC version reports 3.1
  • Oversized RPC input returns empty response (connection dropped)
  • get_output_distribution for non-RCT amounts rejected on restricted RPC

R0BC0D3R added 3 commits May 15, 2026 14:33
@R0BC0D3R
fix: cap tx_extra size at 1060 bytes in mempool to prevent RAM exhaus…
cddb33a 
…tion

Transactions with tx_extra exceeding 1060 bytes are rejected at the
mempool level (kept_by_block transactions are exempt for sync compatibility).
The limit covers mandatory content for 16 outputs plus 32 bytes of custom
data per recipient. RPC send_raw_transaction now reports tx_extra_too_big
and the RPC minor version is bumped to 3.1.

Ported from monero-project/monero PR #8784 (v0.18.2.2).
@R0BC0D3R
fix: restrict get_output_distribution to RCT outputs on public nodes
2cc0e65 
Restricted RPC now rejects output distribution requests for pre-RCT
(non-zero amount) outputs, preventing expensive enumeration queries
from exhausting public node resources. RCT output distribution (amount
zero) remains accessible. Also adds CORE_RPC_ERROR_CODE_RESTRICTED (-14)
which was missing from Nerva's error codes.

Ported from monero-project/monero PR #8084 (v0.17.3.0).
@R0BC0D3R
fix: add 1 MB size limit on RPC input to prevent resource exhaustion
c4eb091 
Tracks total bytes received per HTTP connection and rejects requests
exceeding MAX_RPC_CONTENT_LENGTH (1048576 bytes) before processing.
The limit is applied at the epee HTTP handler level, covering all
RPC endpoints uniformly.

Ported from monero-project/monero PR #8276 (v0.17.3.2).
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 15, 2026

Build Artifacts

Target Status Download
nerva-linux-armv7 Download
nerva-linux-armv8 Download
nerva-windows-x32 Download
nerva-linux-i686 Download
nerva-windows-x64 Download
nerva-linux-x86_64 Download
nerva-macos-x64 Download
nerva-macos-armv8 Download
nerva-freebsd-x86_64 Download
nerva-android-armv8 Download

10 succeeded, 0 failed | View workflow run

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ngeojiajun ngeojiajun ngeojiajun approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@R0BC0D3R @ngeojiajun