cl: cap req/resp response body size

[yperbasis]

What

Caplin's req/resp handler (cl/sentinel/httpreqresp) buffered a peer's entire response into memory via an uncapped io.Copy, bounded only by a 10s read deadline. A peer that floods the response stream could drive the victim's heap to many GiB. The cheapest trigger is unauthenticated and automatic: on every inbound connection the victim sends a Status request back to the peer (discovery.onConnection → handshake.ValidatePeer), built with http.NewRequest (background context), so the handler runs the full copy with no caller-side timeout.

Fix

Stream the response through a per-topic size cap instead of buffering it all up front (the reply never needs Content-Length): a compliant response passes through untouched, and one that exceeds its cap surfaces an explicit ErrResponseTooLarge read error rather than being silently truncated and accepted. The cap is an erroring maxBytesReader (net/http.MaxBytesReader without the ResponseWriter coupling), not io.LimitReader, so a valid prefix followed by junk is rejected, not accepted. Sizes per topic:

• Single-object protocols (status, ping, metadata, goodbye, light-client singles) → 1 MiB, tens-of-× over the largest such object. Fail-closed: any protocol not in the multi-chunk registry gets this cap.
• Multi-chunk protocols (by_range / by_root / by_head: blocks, blobs, data columns, exec payloads) → a per-request byte budget = chunkCount × max-on-wire-size-of-one-chunk, computed by the typed cl/rpc builders (which know both the requested item count and the per-protocol chunk size) and plumbed through a new max_response_bytes field on RequestData / RequestDataWithPeer and the Reqresp-Max-Response-Bytes header. The handler clamps that budget to an absolute on-wire MAX_REQUEST_BLOCKS × MAX_CHUNK_SIZE ceiling, so a miscomputed or overflowed budget can't make it stream more than a spec-maximal response. A multi-chunk request that arrives without a budget falls back to the tight single-object cap (not the ceiling), so a forgotten budget fails loud with ErrResponseTooLarge rather than risking an OOM.

Per-chunk sizing: blocks and execution payloads can fill a chunk; a blob sidecar is a fixed ~129 KiB; a data-column sidecar scales with the fork's max blobs (clparams.MaxBlobsPerBlockUpperBound, which covers the BPO schedule). Because the cap is on on-wire (snappy-framed) bytes and blob/column payloads are incompressible, each budget is wrapped in snappy.MaxEncodedLen + framing (saturating to MaxUint64 rather than overflowing) so it never truncates a compliant response.

Protocol classification and the wire-size helper live in cl/sentinel/communication (AllProtocols, MaxWireResponseBytes) as a single source of truth shared by the cl/rpc budget and the httpreqresp backstop. A unit test cross-checks the registry against the by_range / _by_root / _by_head naming convention, so a mis-classified protocol fails the build rather than silently getting the wrong cap.

Because the response is streamed, an over-cap flood is no longer a 413 (by the time the overflow is seen, the 200 status and the peer's response code have already been committed) but an ErrResponseTooLarge from the body read. handshake.ValidatePeer already fails closed on any body read/decode error; service.requestPeer drops the peer on it, preserving the peer removal the 413 path used to give.

The Do bridge is also hardened: a handler panic is recovered and returned as a 500 instead of crashing the process, and a streamed body is closed even if the request context is cancelled before the handler publishes it, so the stream isn't leaked.

The read deadline (and sync timing) is unchanged — the budget rides its own header. A single connection can no longer OOM the node: the worst-case 128-peer Status flood drops from unbounded to ~256 MiB, and a blob by_range flood from multiple GiB to tens-to-hundreds of MiB.

Test

Flood/cap tests drive the real NewRequestHandler receive path over two libp2p hosts:

• TestResponseBodyRejectedOnFlood — a compliant Status response streams through in full (200); a 40 MiB Status flood is bounded at the cap and surfaces ErrResponseTooLarge, not truncated and accepted.
• TestMultiChunkResponseCappedWithoutBudget — an unbudgeted 5 MiB by_range response is bounded at the single-object cap (not the ceiling) and surfaces ErrResponseTooLarge.
• TestMultiChunkResponseRejectedOverByteBudget — a response within the 8 MiB budget passes through in full (200); a 40 MiB flood over it surfaces ErrResponseTooLarge.
• TestMaxBytesReader — the capping reader streams bytes up to its limit unchanged, then returns ErrResponseTooLarge (rather than truncating at EOF) for anything over it.
• TestDoCopiesHandlerWriteBuffer — Do copies the handler's write buffer rather than retaining it, so a caller that reuses its buffer (e.g. http.Error via fmt) can't corrupt the response.
• TestDoClosesStreamingBodyOnContextCancel — if Do returns early on a cancelled request context, the streaming body the handler publishes afterwards is still closed, so the libp2p stream isn't leaked.
• TestDoRecoversHandlerPanic — a handler panic is recovered and surfaced as a 500 rather than crashing the process.
• TestMaxResponseBodySize — iterates communication.AllProtocols: single-object protocols and unbudgeted multi-chunk requests get the tight cap; a budget below the ceiling is honored, above it is clamped.
• communication.TestResponseShapeConvention — cross-checks every protocol's multi-chunk flag against the by_range / _by_root / _by_head naming convention, so a new mis-classified protocol fails the build.
• communication.TestMaxWireResponseBytes — the on-wire budget saturates to MaxUint64 on overflow instead of wrapping to a smaller (truncating) value.
• communication.TestMaxWireResponseBytesBoundsStreamEncoding — the budget upper-bounds the real snappy-stream framed size for items up to MAX_CHUNK_SIZE.
• communication.TestIsMultiChunkProtocol — known protocols classify correctly; unknown ones fail closed to single-object.
• clparams.TestMaxBlobsPerBlockUpperBound — the fork/BPO max-blobs helper.

Fixes ethereum-bounty/erigon#13

[Copilot]

Pull request overview

This PR hardens Caplin’s cl/sentinel/httpreqresp req/resp HTTP bridge against unbounded memory growth by capping how much response data is buffered/read from a libp2p stream (especially impactful for the automatic Status handshake path).

Changes:

• Add per-topic maximum response body sizing (maxResponseBodySize) with a tight cap for single-chunk protocols and a larger cap for _by_range/_by_root multi-chunk protocols.
• Apply the cap by wrapping the stream reader with io.LimitReader in the response io.Copy.
• Add tests validating the topic→ceiling mapping and that a flooding peer cannot cause buffering beyond maxChunkSize for a single-chunk (Status) response.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
cl/sentinel/httpreqresp/server.go	Introduces max response sizing logic and enforces it via io.LimitReader during response copy.
cl/sentinel/httpreqresp/server_test.go	Adds tests for the sizing logic and a libp2p-based flood regression test.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.

Files not reviewed (1)

• node/gointerfaces/sentinelproto/sentinel.pb.go: Language not supported

[Copilot]

Pull request overview

Copilot reviewed 9 out of 10 changed files in this pull request and generated 1 comment.

Files not reviewed (1)

• node/gointerfaces/sentinelproto/sentinel.pb.go: Language not supported

[domiwei]

Thanks for working on this. The Status/single-object flood case looks much safer now: the handler caps the read, returns 413 on overflow, and avoids setting REQRESP-RESPONSE-CODE on rejected responses.

I think the main remaining issue is that multi-chunk responses are still fully buffered. NewRequestHandler enforces the cap with:

respBody, err := io.ReadAll(io.LimitReader(stream, limit+1))

For multi-chunk protocols, limit is derived from the request’s wire budget. That is useful as a stream guard, but while this path still materializes the whole body, it also becomes the heap allocation bound. For common block-range requests, a malicious peer can still force hundreds of MiB to over 1 GiB of buffering, and then service.requestPeer reads the response body again into ResponseData.Data.

I’d suggest changing this path to streaming decode instead of full-response buffering:

• keep max_response_bytes as a byte-budget guard;
• enforce it with a counting/limited reader while reading from the peer stream;
• decode req/resp chunks incrementally from an io.Reader;
• reject as soon as the byte budget, chunk count, or per-chunk size is exceeded;
• avoid building a second full copy in service.requestPeer.

That would make max_response_bytes a wire-budget limit rather than a potential heap allocation size. The memory peak would be closer to one chunk plus the decoded object, which is the right shape for multi-chunk req/resp.

Two smaller points:

1. service.requestPeer should probably create the internal request with the caller context:

httpReq, err := http.NewRequestWithContext(ctx, "GET", "http://service.internal/", bytes.NewBuffer(req.Data))

cl/rpc wraps these calls in a 2s timeout, but http.NewRequest gives httpreqresp.Do a background context, so cancellation does not propagate into the bridge.

2. For non-2xx responses, the handler currently sets CONTENT-ENCODING: snappy/stream before it may call http.Error, whose body is plain text. Since service.requestPeer reads error bodies as text this works today, but it would be cleaner to set the snappy response headers only on the success path.

[yperbasis]

Thanks @domiwei — I think you caught the revision just before the streaming refactor I pushed earlier today (89083db): the handler no longer does io.ReadAll(io.LimitReader(stream, limit+1)). It now hands the libp2p stream back as the response body wrapped in a capping reader (maxBytesReader), so the handler itself doesn't buffer the response at all — the cap is enforced incrementally as the body is read, and an over-cap response surfaces as a read error (ErrResponseTooLarge) rather than a 413. (That's the same point @anacrolix raised.)

On the remaining points:

1. Full materialization — you're right that the response is still materialized once, but that's now in service.requestPeer's io.ReadAll(resp.Body) (into ResponseData.Data), not in the handler. It's bounded by the per-request byte budget, so a peer can't exceed what we asked for, but for a large block-range request that bound is still a big single allocation. Dropping the peak to ~one chunk + the decoded object means decoding chunks incrementally across the sentinel→cl/rpc boundary — which is a single gRPC bytes response (ResponseData.Data) today, so it would need that contract to become streaming. Worthwhile, but well beyond this OOM fix (which takes the buffering from unbounded to budget-bounded). Filed as a follow-up: Caplin req/resp: stream multi-chunk responses instead of materializing the full body in requestPeer #21616.

2. http.NewRequestWithContext — this came up in an earlier round and was left intentionally: cl/rpc wraps these calls in a 2s timeout, so propagating the context into Do would cancel in-flight req/resp at 2s instead of at the stream read deadline, changing sync timing.

3. snappy headers on error responses — fixed in 3d0652f: the response headers (incl. CONTENT-ENCODING: snappy/stream) are now set only on the success path. Post-streaming there's also no longer an http.Error/413 path after them.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 10 changed files in this pull request and generated 1 comment.

Files not reviewed (1)

• node/gointerfaces/sentinelproto/sentinel.pb.go: Language not supported

[domiwei]

now lgtm

[anacrolix]

I can't tell if the 413 is returned if the response body exceeds the limit but response header was already returned. There's 2 ways this can be detected by http: the response body doesn't match the advertised length, or the response body fails some other check specific to the content. The first is preferable, but requires you to know the response body length in advance, which can require two passes, or buffering. There is a helper to buffer with a max size in memory before switching to writing to a temporary file.

It's probably overkill at this point, I'm satisfied with not buffering unnecessarily if people are satisfied the size limits are respected.

[anacrolix]

False negative in MQ Sonar 😭

[taratorio]

False negative in MQ Sonar 😭

@anacrolix fix - #21632