Reject Status with mismatched protocolVersion vs layout#10241
Merged
macfarla merged 4 commits intoApr 23, 2026
Conversation
A Besu peer build (seen in production as `besu/v26.2-develop-73d07f9`) advertises eth/69 in Hello but sends the eth/68 Status layout `[version, networkId, totalDifficulty, bestHash, genesisHash, forkId]` with `version=69` stamped on the wire. Spec-strict EL clients (e.g. Nimbus) reject this with `protocol breach` every 30 seconds. Besu's current decoder uses shape auto-detection (checks whether the fourth element is a list) and only discovers the inconsistency inside the EthStatus constructor via `checkArgument`, which throws `IllegalArgumentException`. That type is not caught by `EthProtocolManager.handleStatusMessage`'s `try/catch (RLPException)`, so the exception escapes the message dispatcher instead of producing a clean `SUBPROTOCOL_TRIGGERED_UNPARSABLE_STATUS` disconnect. Validate version/layout consistency inline in `EthStatus.readFrom` and throw `RLPException` instead. Add tests for both mismatch directions, including the exact malformed bytes captured from the broken peer in bal-devnet-3. Signed-off-by: qu0b <st3f4n.s@gmail.com> Signed-off-by: qu0b <stefan@starflinger.eu>
Contributor
|
FYI: @pinges |
pinges
approved these changes
Apr 17, 2026
Comment on lines
+306
to
+310
| // Enforce that the declared protocolVersion matches the encoded shape. Otherwise a peer | ||
| // could advertise eth/69 in Hello but send the eth/68 Status layout (or vice versa), which | ||
| // spec-strict decoders reject. Detect the mismatch here so the handler can disconnect with | ||
| // a clean SUBPROTOCOL_TRIGGERED_UNPARSABLE_STATUS instead of an uncaught | ||
| // IllegalArgumentException from the EthStatus constructor. |
Contributor
There was a problem hiding this comment.
I think that this comment should be removed. The code is self-explanatory and the comment should not say what not to do.
Addresses review from @pinges: the code is self-explanatory. Signed-off-by: Stefan <stefan@starflinger.eu>
qu0b
force-pushed
the
qu0b/fix/status-version-shape-check
branch
from
6e1a70c to
5e74f90
Compare
daniellehrner
added a commit
that referenced
this pull request
Apr 23, 2026
* Refactor and fixes for JMH benchmarks regarding signed values (#10269) Summary of changes: - There was a lot of duplicate setup code in all of the arithmetic opcodes (DIV, SDIV, MOD, ...). All this copy pasting didn't help and the definition of enums with the byte sizes manually creates a source for errors and duplicate effort. - Names are also now consistent within each benchmark following OPCODE_BIT-SIZE_BIT-SIZE structure for easy copy pasting of results and interpretation. - Removed enum case definition in most cases to avoid redundancy. - Some issues were also fixed around negation of inputs for testing signed opcodes (SMOD was missing negation!). Inputs are now correctly negated and compared with their absolute values for swapping them. - Generation of 256 bit negative numbers is now limited to 255 bits to make sure we leave MSB for two complement representation. * Publish besu-evm as an API dependency from plugin-api (#10262) Signed-off-by: Alejandro <26930485+alejandroGM0@users.noreply.github.com> Co-authored-by: Sally MacFarlane <macfarla.github@gmail.com> * Header download progress (#10275) * Save and resume header download progress on pipeline restart Track the lowest imported block number in ImportHeadersStep and persist it to ChainSyncState so that backward header downloads can resume from where they left off after an error, rather than restarting from the pivot. - Add ChainSyncState.withHeaderProgress() to update the header progress - Track lowestImportedBlock in ImportHeadersStep - Return BackwardHeaderPipelineResult record from pipeline factory - Call saveHeaderProgress() in SnapSyncChainDownloader on error Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: stefan.pingel@consensys.net <stefan.pingel@consensys.net> * Enforce EIP-7928 BAL item budget per transaction in processing and mining (#10250) Signed-off-by: Karim Taam <karim.t2am@gmail.com> Co-authored-by: Fabio Di Fabio <fabio.difabio@consensys.net> * Take empty block period seconds out of experimental (#10264) * Take empty block period seconds out of experimental Signed-off-by: Matthew Whitehead <matthew.whitehead@kaleido.io> * Tidy up changelog Signed-off-by: Matthew Whitehead <matthew.whitehead@kaleido.io> * Typo Signed-off-by: Matthew Whitehead <matthew.whitehead@kaleido.io> * Review comments Signed-off-by: Matthew Whitehead <matthew.whitehead@kaleido.io> --------- Signed-off-by: Matthew Whitehead <matthew.whitehead@kaleido.io> * Add ChaindId, Coinbase, Gaslimit and PrevRandao to EVM v2 (#10298) * Add ChaindId, Coinbase, Gaslimit and PrevRandao to EVM v2 Signed-off-by: Ameziane H. <ameziane.hamlat@consensys.net> * Address comments Signed-off-by: Ameziane H. <ameziane.hamlat@consensys.net> --------- Signed-off-by: Ameziane H. <ameziane.hamlat@consensys.net> * Rename InvalidSystemCallAddressException to SystemCallNoCodeAtAddressException (#10305) * Rename InvalidSystemCallAddressException to SystemCallNoCodeAtAddressException The exception is thrown when no code exists at the address, not because the address is invalid. Updated all usages. Fixes #10281 Signed-off-by: Liberty S <694522458@qq.com> * Fix missing reference to renamed exception Signed-off-by: Liberty S <694522458@qq.com> --------- Signed-off-by: Liberty S <694522458@qq.com> Co-authored-by: daniellehrner <daniel.lehrner@consensys.net> * Publish Guava as an API dependency from plugin-api (#10248) Signed-off-by: Alejandro <26930485+alejandroGM0@users.noreply.github.com> * clean stop bws if world state unavailable (#10021) * clean stop bws if world state unavailable * immutable field Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com> --------- Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com> * Reject Status with mismatched protocolVersion vs layout (#10241) * Reject Status with mismatched protocolVersion vs layout A Besu peer build (seen in production as `besu/v26.2-develop-73d07f9`) advertises eth/69 in Hello but sends the eth/68 Status layout `[version, networkId, totalDifficulty, bestHash, genesisHash, forkId]` with `version=69` stamped on the wire. Spec-strict EL clients (e.g. Nimbus) reject this with `protocol breach` every 30 seconds. Besu's current decoder uses shape auto-detection (checks whether the fourth element is a list) and only discovers the inconsistency inside the EthStatus constructor via `checkArgument`, which throws `IllegalArgumentException`. That type is not caught by `EthProtocolManager.handleStatusMessage`'s `try/catch (RLPException)`, so the exception escapes the message dispatcher instead of producing a clean `SUBPROTOCOL_TRIGGERED_UNPARSABLE_STATUS` disconnect. Validate version/layout consistency inline in `EthStatus.readFrom` and throw `RLPException` instead. Add tests for both mismatch directions, including the exact malformed bytes captured from the broken peer in bal-devnet-3. Signed-off-by: qu0b <st3f4n.s@gmail.com> Signed-off-by: qu0b <stefan@starflinger.eu> * Remove redundant comment on shape/version enforcement Addresses review from @pinges: the code is self-explanatory. Signed-off-by: Stefan <stefan@starflinger.eu> --------- Signed-off-by: qu0b <st3f4n.s@gmail.com> Signed-off-by: qu0b <stefan@starflinger.eu> Signed-off-by: Stefan <stefan@starflinger.eu> Co-authored-by: Stefan Pingel <16143240+pinges@users.noreply.github.com> * Flaky BackwardSyncContextTest: remove broken Awaitility pattern (#10303) * Fix flaky BackwardSyncContextTest by removing broken Awaitility pattern Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com> --------- Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Matilda-Clerke <matilda.clerke@consensys.net> * Add MulOperationV2 (#10291) Add MulOperationV2, units and benchmark Uses UInt256.mul same as MulOperationOptimized Signed-off-by: Simon Dudley <simon.dudley@consensys.net> * Feat/reenable dynamic cpsb calculation (#10295) * reenable dynamic costPerStateByte calculation Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> * fix AbstractBlockProcessorIntegrationTest Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> --------- Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> * add eip 7976 to Amsterdam (#10296) Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> * Add EIP-7981 to bal-devnet-4 (#10297) * add eip 7981 to Amsterdam Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> * fix AbstractBlockProcessorIntegrationTest Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> --------- Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> --------- Signed-off-by: Alejandro <26930485+alejandroGM0@users.noreply.github.com> Signed-off-by: stefan.pingel@consensys.net <stefan.pingel@consensys.net> Signed-off-by: Karim Taam <karim.t2am@gmail.com> Signed-off-by: Matthew Whitehead <matthew.whitehead@kaleido.io> Signed-off-by: Ameziane H. <ameziane.hamlat@consensys.net> Signed-off-by: Liberty S <694522458@qq.com> Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com> Signed-off-by: qu0b <st3f4n.s@gmail.com> Signed-off-by: qu0b <stefan@starflinger.eu> Signed-off-by: Stefan <stefan@starflinger.eu> Signed-off-by: Simon Dudley <simon.dudley@consensys.net> Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> Co-authored-by: Luis Pinto <luis.pinto@consensys.net> Co-authored-by: Alejandro <26930485+alejandroGM0@users.noreply.github.com> Co-authored-by: Sally MacFarlane <macfarla.github@gmail.com> Co-authored-by: Stefan Pingel <16143240+pinges@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Karim Taam <karim.t2am@gmail.com> Co-authored-by: Fabio Di Fabio <fabio.difabio@consensys.net> Co-authored-by: Matt Whitehead <matthew.whitehead@kaleido.io> Co-authored-by: ahamlat <ameziane.hamlat@consensys.net> Co-authored-by: Liberty-Swine <694522458@qq.com> Co-authored-by: Stefan <22667037+qu0b@users.noreply.github.com> Co-authored-by: Matilda-Clerke <matilda.clerke@consensys.net> Co-authored-by: Simon Dudley <simon.dudley@consensys.net>
jflo
added a commit
that referenced
this pull request
Apr 29, 2026
* CHANGELOG: prep for 26.5.0 Move four entries that landed after the 26.4.0 tag was cut from the 26.4.0 section into Unreleased (#10268, #10249, #10276, #10241), and fill in entries for user-facing PRs that merged since 26.4.0. Signed-off-by: jflo <justin+github@florentine.us> * Update CHANGELOG.md Signed-off-by: Justin Florentine <justin+github@florentine.us> --------- Signed-off-by: jflo <justin+github@florentine.us> Signed-off-by: Justin Florentine <justin+github@florentine.us>
daniellehrner
added a commit
to daniellehrner/besu
that referenced
this pull request
Apr 30, 2026
* Refactor and fixes for JMH benchmarks regarding signed values (besu-eth#10269) Summary of changes: - There was a lot of duplicate setup code in all of the arithmetic opcodes (DIV, SDIV, MOD, ...). All this copy pasting didn't help and the definition of enums with the byte sizes manually creates a source for errors and duplicate effort. - Names are also now consistent within each benchmark following OPCODE_BIT-SIZE_BIT-SIZE structure for easy copy pasting of results and interpretation. - Removed enum case definition in most cases to avoid redundancy. - Some issues were also fixed around negation of inputs for testing signed opcodes (SMOD was missing negation!). Inputs are now correctly negated and compared with their absolute values for swapping them. - Generation of 256 bit negative numbers is now limited to 255 bits to make sure we leave MSB for two complement representation. * Publish besu-evm as an API dependency from plugin-api (besu-eth#10262) Signed-off-by: Alejandro <26930485+alejandroGM0@users.noreply.github.com> Co-authored-by: Sally MacFarlane <macfarla.github@gmail.com> * Header download progress (besu-eth#10275) * Save and resume header download progress on pipeline restart Track the lowest imported block number in ImportHeadersStep and persist it to ChainSyncState so that backward header downloads can resume from where they left off after an error, rather than restarting from the pivot. - Add ChainSyncState.withHeaderProgress() to update the header progress - Track lowestImportedBlock in ImportHeadersStep - Return BackwardHeaderPipelineResult record from pipeline factory - Call saveHeaderProgress() in SnapSyncChainDownloader on error Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: stefan.pingel@consensys.net <stefan.pingel@consensys.net> * Enforce EIP-7928 BAL item budget per transaction in processing and mining (besu-eth#10250) Signed-off-by: Karim Taam <karim.t2am@gmail.com> Co-authored-by: Fabio Di Fabio <fabio.difabio@consensys.net> * Take empty block period seconds out of experimental (besu-eth#10264) * Take empty block period seconds out of experimental Signed-off-by: Matthew Whitehead <matthew.whitehead@kaleido.io> * Tidy up changelog Signed-off-by: Matthew Whitehead <matthew.whitehead@kaleido.io> * Typo Signed-off-by: Matthew Whitehead <matthew.whitehead@kaleido.io> * Review comments Signed-off-by: Matthew Whitehead <matthew.whitehead@kaleido.io> --------- Signed-off-by: Matthew Whitehead <matthew.whitehead@kaleido.io> * Add ChaindId, Coinbase, Gaslimit and PrevRandao to EVM v2 (besu-eth#10298) * Add ChaindId, Coinbase, Gaslimit and PrevRandao to EVM v2 Signed-off-by: Ameziane H. <ameziane.hamlat@consensys.net> * Address comments Signed-off-by: Ameziane H. <ameziane.hamlat@consensys.net> --------- Signed-off-by: Ameziane H. <ameziane.hamlat@consensys.net> * Rename InvalidSystemCallAddressException to SystemCallNoCodeAtAddressException (besu-eth#10305) * Rename InvalidSystemCallAddressException to SystemCallNoCodeAtAddressException The exception is thrown when no code exists at the address, not because the address is invalid. Updated all usages. Fixes besu-eth#10281 Signed-off-by: Liberty S <694522458@qq.com> * Fix missing reference to renamed exception Signed-off-by: Liberty S <694522458@qq.com> --------- Signed-off-by: Liberty S <694522458@qq.com> Co-authored-by: daniellehrner <daniel.lehrner@consensys.net> * Publish Guava as an API dependency from plugin-api (besu-eth#10248) Signed-off-by: Alejandro <26930485+alejandroGM0@users.noreply.github.com> * clean stop bws if world state unavailable (besu-eth#10021) * clean stop bws if world state unavailable * immutable field Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com> --------- Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com> * Reject Status with mismatched protocolVersion vs layout (besu-eth#10241) * Reject Status with mismatched protocolVersion vs layout A Besu peer build (seen in production as `besu/v26.2-develop-73d07f9`) advertises eth/69 in Hello but sends the eth/68 Status layout `[version, networkId, totalDifficulty, bestHash, genesisHash, forkId]` with `version=69` stamped on the wire. Spec-strict EL clients (e.g. Nimbus) reject this with `protocol breach` every 30 seconds. Besu's current decoder uses shape auto-detection (checks whether the fourth element is a list) and only discovers the inconsistency inside the EthStatus constructor via `checkArgument`, which throws `IllegalArgumentException`. That type is not caught by `EthProtocolManager.handleStatusMessage`'s `try/catch (RLPException)`, so the exception escapes the message dispatcher instead of producing a clean `SUBPROTOCOL_TRIGGERED_UNPARSABLE_STATUS` disconnect. Validate version/layout consistency inline in `EthStatus.readFrom` and throw `RLPException` instead. Add tests for both mismatch directions, including the exact malformed bytes captured from the broken peer in bal-devnet-3. Signed-off-by: qu0b <st3f4n.s@gmail.com> Signed-off-by: qu0b <stefan@starflinger.eu> * Remove redundant comment on shape/version enforcement Addresses review from @pinges: the code is self-explanatory. Signed-off-by: Stefan <stefan@starflinger.eu> --------- Signed-off-by: qu0b <st3f4n.s@gmail.com> Signed-off-by: qu0b <stefan@starflinger.eu> Signed-off-by: Stefan <stefan@starflinger.eu> Co-authored-by: Stefan Pingel <16143240+pinges@users.noreply.github.com> * Flaky BackwardSyncContextTest: remove broken Awaitility pattern (besu-eth#10303) * Fix flaky BackwardSyncContextTest by removing broken Awaitility pattern Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com> --------- Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Matilda-Clerke <matilda.clerke@consensys.net> * Add MulOperationV2 (besu-eth#10291) Add MulOperationV2, units and benchmark Uses UInt256.mul same as MulOperationOptimized Signed-off-by: Simon Dudley <simon.dudley@consensys.net> * Feat/reenable dynamic cpsb calculation (besu-eth#10295) * reenable dynamic costPerStateByte calculation Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> * fix AbstractBlockProcessorIntegrationTest Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> --------- Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> * add eip 7976 to Amsterdam (besu-eth#10296) Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> * Add EIP-7981 to bal-devnet-4 (besu-eth#10297) * add eip 7981 to Amsterdam Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> * fix AbstractBlockProcessorIntegrationTest Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> --------- Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> --------- Signed-off-by: Alejandro <26930485+alejandroGM0@users.noreply.github.com> Signed-off-by: stefan.pingel@consensys.net <stefan.pingel@consensys.net> Signed-off-by: Karim Taam <karim.t2am@gmail.com> Signed-off-by: Matthew Whitehead <matthew.whitehead@kaleido.io> Signed-off-by: Ameziane H. <ameziane.hamlat@consensys.net> Signed-off-by: Liberty S <694522458@qq.com> Signed-off-by: Sally MacFarlane <macfarla.github@gmail.com> Signed-off-by: qu0b <st3f4n.s@gmail.com> Signed-off-by: qu0b <stefan@starflinger.eu> Signed-off-by: Stefan <stefan@starflinger.eu> Signed-off-by: Simon Dudley <simon.dudley@consensys.net> Signed-off-by: daniellehrner <daniel.lehrner@consensys.net> Co-authored-by: Luis Pinto <luis.pinto@consensys.net> Co-authored-by: Alejandro <26930485+alejandroGM0@users.noreply.github.com> Co-authored-by: Sally MacFarlane <macfarla.github@gmail.com> Co-authored-by: Stefan Pingel <16143240+pinges@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Karim Taam <karim.t2am@gmail.com> Co-authored-by: Fabio Di Fabio <fabio.difabio@consensys.net> Co-authored-by: Matt Whitehead <matthew.whitehead@kaleido.io> Co-authored-by: ahamlat <ameziane.hamlat@consensys.net> Co-authored-by: Liberty-Swine <694522458@qq.com> Co-authored-by: Stefan <22667037+qu0b@users.noreply.github.com> Co-authored-by: Matilda-Clerke <matilda.clerke@consensys.net> Co-authored-by: Simon Dudley <simon.dudley@consensys.net> Signed-off-by: daniellehrner <daniel.lehrner@consensys.net>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PR description
A Besu peer build (observed in bal-devnet-3 as
besu/v26.2-develop-73d07f9) advertises eth/69 in Hello but sends the eth/68 Status layout —[version, networkId, totalDifficulty, bestHash, genesisHash, forkId]— withversion=69stamped on the wire. Spec-strict EL clients such as Nimbus reject this every 30 seconds with a protocol-breach disconnect.Besu's current
EthStatus.readFromdecoder uses shape auto-detection (checks whether the fourth RLP element is a list) and only discovers the declared-version vs on-wire-layout inconsistency later, inside theEthStatusconstructor viacheckArgument, which throwsIllegalArgumentException. That type is not caught byEthProtocolManager.handleStatusMessage'stry/catch (RLPException), so the exception escapes the message dispatcher instead of producing a cleanSUBPROTOCOL_TRIGGERED_UNPARSABLE_STATUSdisconnect.Fix
Validate version/layout consistency inline in
EthStatus.readFromand throwRLPExceptiondirectly:isEth69Shape && protocolVersion <= V68→ reject (eth/69+ layout with an eth/68 version field)!isEth69Shape && protocolVersion >= V69→ reject (eth/68 layout with an eth/69+ version field)The constructor
checkArguments remain to guard the programmatic builder path.Tests
shouldNotHaveTotalDifficultWhen69FromRawInputupdated: now assertsRLPException(previouslyIllegalArgumentException).shouldRejectEth69LayoutWithEth68Versionadded: covers the symmetric case.shouldRejectEth68LayoutFromProdBesuV26Dot2Develop73d07f9added: feeds the exact 90-byte Status payload captured from the broken peer onbal-devnet-3and asserts rejection.Decoded prod payload (from the captured trace):
Verification
All green locally (Java 21, Gradle 9.3.1).
PR checklist