Harden Forknote2 blockchain_branch depth parsing to prevent allocation DoS by MoneroOcean · Pull Request #26 · MoneroOcean/node-blocktemplate

MoneroOcean · 2026-05-29T17:27:25Z

The Forknote2/Bytecoin parent-block deserializer used the untrusted tx_extra_merge_mining_tag.depth directly to size bytecoin_block.blockchain_branch, enabling a malicious block blob to force an enormous allocation and crash the process.

Add a hard upper bound static constexpr size_t MAX_BYTECOIN_BLOCKCHAIN_BRANCH_DEPTH = 64 and return false when mm_tag.depth exceeds this value before calling PREPARE_CUSTOM_VECTOR_SERIALIZATION in the blockchain_branch deserialization path in src/cryptonote_basic/cryptonote_basic.h.

Ran npm test locally, but the run could not complete due to network/npm registry access restrictions (HTTP 403 while fetching dependency bech32), so the automated test suite did not finish successfully.

Harden Forknote2 blockchain branch depth parsing

8f2bb8d

MoneroOcean added codex aardvark labels May 29, 2026 — with ChatGPT Codex Connector

MoneroOcean merged commit 5e074f4 into master May 29, 2026
3 checks passed

MoneroOcean deleted the codex/fix-forknote2-merge-mining-depth-vulnerability branch May 29, 2026 18:08

Provide feedback