AI-generated audit finding — this issue was opened from an automated security/correctness audit. It has not been triaged by a human yet; verify the reasoning, reproducibility, and severity before acting on it.
Medium: Protobuf envelope validation is incomplete and misclassifies malformed input — CONFIRMED
Affected code:
Verification:
Confirmed. Three independent issues in the same 5-byte envelope validation:
- The compression flag byte is only rejected for the exact value
1. Values 2..255 are silently accepted as "uncompressed" even though they violate the envelope contract.
- When the flag is
1, the throw is NotSupportedException rather than InvalidDataException. The protocol connection maps that to InternalError instead of a clean malformed-input response.
- The length is decoded with
ReadInt32BigEndian (signed). A peer sending a high bit yields a negative messageLength, which propagates to reader.ReadAtLeastAsync(messageLength, …) — that method throws ArgumentOutOfRangeException for negative minimum sizes, again mis-mapped to InternalError.
Impact:
- Malformed peer input surfaces as
InternalError instead of InvalidData.
- Server-side error reporting becomes inconsistent for bad Protobuf payloads.
- Client-side callers may see raw framework exceptions for malformed envelopes.
Recommendation:
- Reject any nonzero compression flag with
InvalidDataException.
- Reject
messageLength < 0 with InvalidDataException before ReadAtLeastAsync.
- Keep all malformed-envelope failures inside the
InvalidDataException boundary.
- Add regression tests for: compression flag
1, flag values in 2..255, and negative encoded lengths.
Status: Valid, Medium severity.
Source report: src-IceRpc.Protobuf-audit-2026-04-14.md (finding Protobuf envelope validation is incomplete and misclassifies malformed input — **CONFIRMED**)
Severity (auditor-assigned): Medium
Medium: Protobuf envelope validation is incomplete and misclassifies malformed input — CONFIRMED
Affected code:
1; throwsNotSupportedExceptionDecodeMessageLengthusesBinaryPrimitives.ReadInt32BigEndian(signed)ReadAtLeastAsyncwithout a non-negative checkInvalidDataExceptiondecode failures map toInternalErrorVerification:
Confirmed. Three independent issues in the same 5-byte envelope validation:
1. Values2..255are silently accepted as "uncompressed" even though they violate the envelope contract.1, the throw isNotSupportedExceptionrather thanInvalidDataException. The protocol connection maps that toInternalErrorinstead of a clean malformed-input response.ReadInt32BigEndian(signed). A peer sending a high bit yields a negativemessageLength, which propagates toreader.ReadAtLeastAsync(messageLength, …)— that method throwsArgumentOutOfRangeExceptionfor negative minimum sizes, again mis-mapped toInternalError.Impact:
InternalErrorinstead ofInvalidData.Recommendation:
InvalidDataException.messageLength < 0withInvalidDataExceptionbeforeReadAtLeastAsync.InvalidDataExceptionboundary.1, flag values in2..255, and negative encoded lengths.Status: Valid, Medium severity.
Source report: src-IceRpc.Protobuf-audit-2026-04-14.md (finding
Protobuf envelope validation is incomplete and misclassifies malformed input — **CONFIRMED**)Severity (auditor-assigned): Medium