Non-strict Protocol Negotiation in js-libp2p's multistream-select #2161
Labels
kind/bug
A bug in existing code (including security flaws)
Comments
maschad
added
kind/bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Version:
"js-libp2p":"js-libp2p-v0.46.14"
"@libp2p/multistream-select",:"4.0.3"
Platform:
Ubuntu20.04
Subsystem:
multistream-select
Severity:
Very Low
Description:
I find bug in the select function in multistream-select that does not strictly adhere to the libp2p specification for Protocol Negotiation.
As per the specification, if either side receives anything other than the multistream protocol id as the first message, they should abort the negotiation process. However, the implementation does not enforce this. The implementation https://github.com/libp2p/js-libp2p/blob/master/packages/multistream-select/src/select.ts#L86. If the first message does not contain the PROTOCOL_ID, it is ignored.
Additionally, according to the specification, if the protocol is not supported, the Responder should respond with the string "na" to indicate that the requested protocol is Not Available. The implementation https://github.com/libp2p/js-libp2p/blob/master/packages/multistream-select/src/select.ts#L104. If the current node does not support the received protocol, it directly closes the connection without notifying the remote peer with "na".
Steps to reproduce the error:
None
Tasks
The text was updated successfully, but these errors were encountered: