Node crashes down after receiving fuzzed messages.

[SecTechTool]

System information

Geth version: geth 1.10 OS & Version: Linux

Expected behaviour

Nodes run as usual.

Actual behaviour

Nodes crash down, and can not be recovered.

Steps to reproduce the behaviour

Using setup a QBFT network locally, following the instruction in https://consensys.net/docs/goquorum/en/latest/tutorials/private-network/create-qbft-network. Repeatedly sending fuzzed messages to node-1.

Backtrace

Root location: https://github.com/ConsenSys/quorum/blob/master/trie/node.go

func mustDecodeNode(hash, buf []byte) node {
    n, err := decodeNode(hash, buf)
    if err != nil {
        panic(fmt.Sprintf("node %x: %v", hash, err))
    }
    return n
}

In line 111, should not panic directly when decode failed.

log info:

panic: node 26a6e78d2e0af3a027383d2f2e6dee01d0bf5a2927e0399d0a2e5f3c47162c1b: invalid RLP string size 269 (want 0 or 32) (decode path: [4]<-full)

goroutine 21821 [running]:
github.com/ConsenSys/quorum/trie.mustDecodeNodeUnsafe({0xc144fac100, 0x20, 0x20}, {0xc0606fef00?, 0xc0606fef00?, 0x243?})
        github.com/ConsenSys/quorum/trie/node.go:111 +0xd4
github.com/ConsenSys/quorum/trie.(*Database).node(0xc00015acc0, {0x25, 0xcd, 0x7b, 0x75, 0xaa, 0xc, 0x1, 0xed, 0x48, ...})
        github.com/ConsenSys/quorum/trie/database.go:403 +0x239
github.com/ConsenSys/quorum/trie.(*Trie).resolveHash(0xc0c377ed80, {0xc11b4b216f?, 0x7ff7bca230b6?, 0xc0293cf268?}, {0xc040991770, 0x5, 0x41})
        github.com/ConsenSys/quorum/trie/trie.go:493 +0xe5
github.com/ConsenSys/quorum/trie.(*Trie).tryGet(0x20?, {0x7ff7bdfcdf10?, 0xc12e35bf98?}, {0xc040991770, 0x41, 0x41}, 0x5)
        github.com/ConsenSys/quorum/trie/trie.go:149 +0xe6
github.com/ConsenSys/quorum/trie.(*Trie).tryGet(0xc0c377ed80?, {0x7ff7bdfccef0?, 0xc02b4bca00?}, {0xc040991770, 0xc040991770?, 0x4?}, 0x4)
        github.com/ConsenSys/quorum/trie/trie.go:142 +0x3f4
github.com/ConsenSys/quorum/trie.(*Trie).tryGet(0x4b5fcbac153cdbf?, {0x7ff7bdfcdf10?, 0xc110fe2258?}, {0xc040991770, 0x41, 0x41}, 0x4)
        github.com/ConsenSys/quorum/trie/trie.go:153 +0x176
github.com/ConsenSys/quorum/trie.(*Trie).tryGet(0xc0c377ed80?, {0x7ff7bdfccef0?, 0xc02b780140?}, {0xc040991770, 0xc040991770?, 0x3?}, 0x3)
        github.com/ConsenSys/quorum/trie/trie.go:142 +0x3f4
github.com/ConsenSys/quorum/trie.(*Trie).tryGet(0xf22ab52246add520?, {0x7ff7bdfcdf10?, 0xc0fab7e798?}, {0xc040991770, 0x41, 0x41}, 0x3)
        github.com/ConsenSys/quorum/trie/trie.go:153 +0x176
github.com/ConsenSys/quorum/trie.(*Trie).tryGet(0xc0c377ed80?, {0x7ff7bdfccef0?, 0xc02b780000?}, {0xc040991770, 0xc040991770?, 0x2?}, 0x2)
        github.com/ConsenSys/quorum/trie/trie.go:142 +0x3f4
github.com/ConsenSys/quorum/trie.(*Trie).tryGet(0x2a1af08016459ffc?, {0x7ff7bdfcdf10?, 0xc14db04438?}, {0xc040991770, 0x41, 0x41}, 0x2)
        github.com/ConsenSys/quorum/trie/trie.go:153 +0x176
github.com/ConsenSys/quorum/trie.(*Trie).tryGet(0xc0c377ed80?, {0x7ff7bdfccef0?, 0xc02b27be00?}, {0xc040991770, 0xc040991770?, 0x1?}, 0x1)
        github.com/ConsenSys/quorum/trie/trie.go:142 +0x3f4
github.com/ConsenSys/quorum/trie.(*Trie).TryGet(0xc0c377ed80, {0xc0c377edd0, 0x20, 0x20?})
        github.com/ConsenSys/quorum/trie/trie.go:117 +0xd6
github.com/ConsenSys/quorum/trie.(*StateTrie).TryGet(0xc0c377ed80, {0xc152978ce0?, 0xc152978ce0?, 0x20?})
        github.com/ConsenSys/quorum/trie/secure_trie.go:79 +0x3d
github.com/ConsenSys/quorum/core/state.(*subfetcher).loop(0xc0a945cf70)
        github.com/ConsenSys/quorum/core/state/trie_prefetcher.go:321 +0x810
created by github.com/ConsenSys/quorum/core/state.newSubfetcher
        github.com/ConsenSys/quorum/core/state/trie_prefetcher.go:230 +0x1cb

[baptiste-b-pegasys]

this code is part of go-ethereum, you can raise the issue in the three usages of mustDecodeNode