Description

Klever-Go P2P MultiDataInterceptor leaks global throttler slots on malformed compressed batches (DoS) ## Publisher note Fixed in v1.7.17. Operators running < v1.7.17 should upgrade. The decompression-error path in MultiDataInterceptor.ProcessReceivedMessage now releases the global throttler slot before returning (guarded defer after StartProcessing(), disabled when the asynchronous goroutine takes ownership). Patch commits on develop: 333f6ec9, 68b94a40 (merged from private fork klever-io/klever-go-ghsa-74m6-4hjp-7226). This advisory was originally filed jointly with a separate KVM read-only isolation bypass; that finding is now tracked under GHSA-jc6w-wmfc-fh33 so each issue receives its own CVE. The original disclosure from @LoGGGG240211 follows verbatim, including the embedded proof-of-concept source. --- # Private Vulnerability Report Repository: klever-io/klever-go Reviewed commit: 405d01b0abbf0d3e73b4a990bd7394a01f200dc2 Disclosure channel: GitHub Private Vulnerability Reporting Reporter GitHub account: LoGGGG240211 ## 2.1 MultiDataInterceptor malformed compressed batches permanently consume global P2P throttler slots Severity : High Confidence : HIGH Attack Complexity : LOW PoC Status : Confirmed ### Description The P2P MultiDataInterceptor starts throttled processing before it validates and decompresses a received batch. PreProcessMessage checks whether the global interceptor throttler can process the message and then calls StartProcessing(). After that point, ProcessReceivedMessage unmarshals the batch and enters the compressed-batch branch when b.IsCompressed is true. If b.Decompress() fails, the function logs the gzip error and returns immediately without calling EndProcessing(). This creates a permanent slot leak in the interceptor throttler. The normal successful path releases the slot only later in the asynchronous processing goroutine. Other validation error paths release the slot explicitly, but the decompression-error path does not. The impact is amplified because the same global throttler is shared by transaction multi-data interceptors, trie-node multi-data interceptors, and header interceptors. The hardcoded global capacity is 100, so a connected peer that can deliver 100 malformed compressed batch envelopes can cause later valid P2P interceptor processing on the affected node to fail with system busy until the process is restarted or the throttler state is otherwise reset. ### Location 1. baseDataInterceptor.go, PreProcessMessage(), line 42 2. baseDataInterceptor.go, PreProcessMessage(), line 47 3. multiDataInterceptor.go, ProcessReceivedMessage(), line 95 4. multiDataInterceptor.go, ProcessReceivedMessage(), line 99 5. baseInterceptorsContainerFactory.go, numGoRoutines, line 21 6. baseInterceptorsContainerFactory.go, createOneTxInterceptor(), line 160 7. baseInterceptorsContainerFactory.go, createOneTrieNodesInterceptor(), line 190 8. baseInterceptorsContainerFactory.go, generateMetachainHeaderInterceptors(), line 232 ### Preconditions 1. The attacker can connect as a P2P peer or otherwise send P2P messages that reach a MultiDataInterceptor topic handler. 2. The malformed message must pass the outer preprocessing checks before the decompression branch. 3. No validator role, private key, capital, oracle condition, or timing condition is required. ### Impact Successful exploitation causes a persistent per-node denial of P2P interceptor processing until node restart or throttler reset. The affected throttler is shared across transaction batch processing and trie-node sync processing, and header processing also uses the same throttler. The PoC demonstrates the concrete effect with a capacity-2 throttler: two malformed compressed batches leak both slots and the third message returns system busy. In the reviewed codebase, the production factory hardcodes the shared capacity to 100, so the same condition is expected after approximately 100 malformed compressed batches. The impact is reversible by restarting the node or otherwise resetting the throttler state. ### Exploit Cost No gas and no protocol capital are required. The practical cost is the network cost of sending malformed compressed P2P batch messages to the target node, approximately 100 messages for the hardcoded production global capacity. ### Steps to Reproduce 1. Place poc_mdi_throttler_slot_leak_test.go in an empty directory. 2. Run the dependency commands listed in the PoC header. 3. Run GOTOOLCHAIN=go1.25.9 go test -v poc_mdi_throttler_slot_leak_test.go. 4. Observe that the first proof increments StartProcessing() without incrementing EndProcessing() after a gzip decompression error. 5. Observe that the second proof uses a real capacity-2 throttler and reaches system busy on the third malformed compressed batch. ### Proof-of-Concept Result Running GOTOOLCHAIN=go1.25.9 go test -v poc_mdi_throttler_slot_leak_test.go after dependency setup produces the following output. The result confirms that malformed compressed batches leak throttler slots and cause a real throttler to reject later processing as system busy. text === RUN TestPoC_MalformedCompressedBatchLeaksThrottlerSlot ERROR[2026-04-28 13:35:04.398] MultiDataInterceptor.ProcessReceivedMessage err = gzip: invalid header poc_mdi_throttler_slot_leak_test.go:108: process_error=gzip: invalid header poc_mdi_throttler_slot_leak_test.go:109: start_count_before=0 poc_mdi_throttler_slot_leak_test.go:110: start_count_after=1 poc_mdi_throttler_slot_leak_test.go:111: end_count_before=0 poc_mdi_throttler_slot_leak_test.go:112: end_count_after=0 ERROR[2026-04-28 13:35:04.398] MultiDataInterceptor.ProcessReceivedMessage err = gzip: invalid header ERROR[2026-04-28 13:35:04.398] MultiDataInterceptor.ProcessReceivedMessage err = gzip: invalid header poc_mdi_throttler_slot_leak_test.go:133: real_throttler_attempt_1=gzip: invalid header poc_mdi_throttler_slot_leak_test.go:134: real_throttler_attempt_2=gzip: invalid header poc_mdi_throttler_slot_leak_test.go:135: real_throttler_attempt_3=system busy --- PASS: TestPoC_MalformedCompressedBatchLeaksThrottlerSlot (0.00s) PASS ok command-line-arguments 0.002s ### Suggested Fix Ensure that every path after StartProcessing() releases the throttler slot exactly once. A direct fix is to call EndProcessing() before returning from the decompression-error branch. A more robust fix is to use a guarded defer immediately after StartProcessing() and disable that defer only when the asynchronous goroutine takes ownership of releasing the slot. ## Closing I am available to answer technical questions regarding these findings and to review proposed fixes prior to deployment. Please contact me through this disclosure thread or through the email address associated with this submission. ## Proof-of-Concept Source ### poc_mdi_throttler_slot_leak_test.go ```go package poc /* Target contract : Klever-Go P2P MultiDataInterceptor; no on-chain address Vulnerability : Denial of service through leaked global P2P throttler slots Severity : High How to run : GOTOOLCHAIN=go1.25.9 go test -v poc_mdi_throttler_slot_leak_test.go Expected output : The test passes and logs that a real throttler returns system busy after malformed compressed batches Dependencies : In an empty directory containing this file, run: go mod init klever-go-disclosure-poc; go get github.com/klever-io/klever-[email protected]; go mod tidy */ import ( "errors" "fmt" "testing" "github.com/klever-io/klever-go/common" "github.com/klever-io/klever-go/common/mock" "github.com/klever-io/klever-go/core" "github.com/klever-io/klever-go/core/process/interceptors" "github.com/klever-io/klever-go/core/throttler" "github.com/klever-io/klever-go/data/batch" ) func malformedCompressedBatchPayload(t *testing.T, marshalizer *mock.MarshalizerMock) []byte { t.Helper() // Build a syntactically valid batch envelope whose compressed stream is not valid gzip. payload, err := marshalizer.Marshal(&batch.Batch{ IsCompressed: true, Stream: []byte("not-a-gzip-stream"), DataSize: 1, }) if err != nil { t.Fatalf("marshal malformed compressed batch: %v", err) } return payload } func newMultiDataInterceptor(t *testing.T, marshalizer *mock.MarshalizerMock, throttlerArg interface { CanProcess() bool StartProcessing() EndProcessing() IsInterfaceNil() bool }) *interceptors.MultiDataInterceptor { t.Helper() // Use the production transaction topic and production MultiDataInterceptor constructor. arg := interceptors.ArgMultiDataInterceptor{ Topic: common.TransactionTopic, Marshalizer: marshalizer, DataFactory: &mock.InterceptedDataFactoryStub{}, Processor: &mock.InterceptorProcessorStub{}, Throttler: throttlerArg, AntifloodHandler: &mock.P2PAntifloodHandlerStub{}, WhiteListRequest: &mock.WhiteListHandlerStub{}, CurrentPeerID: core.PeerID("local-peer"), } mdi, err := interceptors.NewMultiDataInterceptor(arg) if err != nil { t.Fatalf("construct MultiDataInterceptor: %v",

Mitigation

Aliases

References