ChainSafe/discv5

[Crash/Fuzzing] "TypeError: Cannot read property 'toString' of undefined" when parsing ENR string

pventuzelo opened this issue · 3 comments

pventuzelo commented

Describe the bug

During fuzzing with beaconfuzz, I found this TypeError crash inside the enr library when parsing invalid enr string.

Expected behavior

Should throw an Error since this string is invalid.

Steps to Reproduce

crash_TypeError_tostring_undef_enr_lodestar.js:

var discv5 = require("@chainsafe/discv5");

buf = Buffer.from('656e723a2d435972595a62404b574342526c4179357a7a61445a584a42476b636e68344d486342465a6e75584e467264764a6a5830346a527a6a7a', 'hex').toString()

discv5.ENR.decodeTxt(buf);

Run:

$ npm i @chainsafe/discv5

$ node crash_TypeError_tostring_undef_enr_lodestar.js
/home/scop/node_modules/@chainsafe/discv5/lib/enr/enr.js:76
        return this.get("id").toString("utf8");
                             ^

TypeError: Cannot read property 'toString' of undefined
    at Map.get id [as id] (/home/scop/node_modules/@chainsafe/discv5/lib/enr/enr.js:76:30)
    at Map.verify (/home/scop/node_modules/@chainsafe/discv5/lib/enr/enr.js:187:22)
    at Function.decodeFromValues (/home/scop/node_modules/@chainsafe/discv5/lib/enr/enr.js:55:18)
    at Function.decode (/home/scop/node_modules/@chainsafe/discv5/lib/enr/enr.js:62:20)
    at Function.decodeTxt (/home/scop/node_modules/@chainsafe/discv5/lib/enr/enr.js:68:20)
    at Object.<anonymous> (XXX/crash_TypeError_tostring_undef_enr_lodestar.js:5:12)
    at Module._compile (internal/modules/cjs/loader.js:936:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:947:10)
    at Module.load (internal/modules/cjs/loader.js:790:32)
    at Function.Module._load (internal/modules/cjs/loader.js:703:12)

Desktop (please complete the following information):

pventuzelo commented

EDIT: I've updated this issue, testing sample and error was not the good one.

pventuzelo commented

Additional information, this string is rejected by zcli with illegal base64 data error.

twoeths commented

after the fix, it should throw Error "Invalid record id"