The gauges map in Pong (pong.proto line 182) carries no upper bound on the number of entries or on the length of each key string. The comment documents seven known keys, all short, and tells clients to ignore unknown keys, but it sets no contract that a client can rely on to bound its allocation before deserializing the map.
A compromised or buggy Node can send a gauges map with an arbitrary number of entries or with keys of arbitrary length. The client has no specified limit to enforce, so it allocates memory proportional to whatever the Node sends. This is a post-auth memory-exhaustion vector at the client, following the same pattern already identified for Ping.canaries (#23) and Pong.servers (#25).
Add a comment to the gauges field specifying the maximum entry count (for example 32) and the maximum key length (for example 16 bytes), consistent with how the bounded-field pattern is being applied across the rest of the protocol.
The
gaugesmap inPong(pong.proto line 182) carries no upper bound on the number of entries or on the length of each key string. The comment documents seven known keys, all short, and tells clients to ignore unknown keys, but it sets no contract that a client can rely on to bound its allocation before deserializing the map.A compromised or buggy Node can send a
gaugesmap with an arbitrary number of entries or with keys of arbitrary length. The client has no specified limit to enforce, so it allocates memory proportional to whatever the Node sends. This is a post-auth memory-exhaustion vector at the client, following the same pattern already identified forPing.canaries(#23) andPong.servers(#25).Add a comment to the
gaugesfield specifying the maximum entry count (for example 32) and the maximum key length (for example 16 bytes), consistent with how the bounded-field pattern is being applied across the rest of the protocol.