File: crates/messaging/src/lib.rs:260
Severity: robustness (availability/DoS)
Obvious? yes
SealedContent { ciphertext: Vec<u8>, ... } is the wire shape for encrypted message content. There is no cap on ciphertext.len(). A peer with knowledge of a channel key (or even without — the ciphertext is opaque before decrypt) can broadcast a message containing an arbitrarily large ciphertext blob; receivers allocate it during deserialise and during open_content before any AEAD verify reveals corruption. Content::validate explicitly does NOT recurse into Encrypted.
Fix: cap ciphertext.len() (e.g. MAX_TEXT_BODY_BYTES + AEAD overhead) in Content::validate and reject during decode.
Filed by /general-audit @ 88498a5 (2026-05-04). master: #600.
File:
crates/messaging/src/lib.rs:260Severity: robustness (availability/DoS)
Obvious? yes
SealedContent { ciphertext: Vec<u8>, ... }is the wire shape for encrypted message content. There is no cap onciphertext.len(). A peer with knowledge of a channel key (or even without — the ciphertext is opaque before decrypt) can broadcast a message containing an arbitrarily large ciphertext blob; receivers allocate it during deserialise and duringopen_contentbefore any AEAD verify reveals corruption.Content::validateexplicitly does NOT recurse intoEncrypted.Fix: cap
ciphertext.len()(e.g.MAX_TEXT_BODY_BYTES + AEAD overhead) inContent::validateand reject during decode.Filed by
/general-audit@88498a5(2026-05-04). master: #600.