Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 95AEF94B for ; Tue, 3 Jan 2017 05:05:12 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-qk0-f172.google.com (mail-qk0-f172.google.com [209.85.220.172]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 0C40BEB for ; Tue, 3 Jan 2017 05:05:11 +0000 (UTC) Received: by mail-qk0-f172.google.com with SMTP id h201so226204479qke.1 for ; Mon, 02 Jan 2017 21:05:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=blockstream-io.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=Sov0pqp0QXLFjC/dR6yz/OLSuqGnmSadUzVARHLTuQ0=; b=AjcZY2teCleyhkiP7WH2YEhlj8xRb3gDp9pJhZMzZ0dLfo/RaEegg79G385L9+xzhe 6eWL31XLtOhYhR9Jtx5kxWbO8pJgYDWmh2sIGhd/FwhraRMK7ZLWsm9XOYNPUa+cwwDo 8ZfrAf7XxH+XZs2WaPj/5Iey2GrcBHov/CuOUrZbBYexUxAOItqsAqM+gsGdWhBcT7Eq LJD9i5NrEhL6EbxVyXcH3R12+m3O2ePN5to+PJoLIdBScAxcIIs26E/6nv3V7dYTh8BR ltCb7S8q89RCk1KqrlE0uGKiYzjcq6MpO88wX/YD+TuxW6G7/CQQKi1F5YtI+bIFwxxg TDCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=Sov0pqp0QXLFjC/dR6yz/OLSuqGnmSadUzVARHLTuQ0=; b=ph7fQi8tn5fWSvy9EFzOudzh182+yGsdrQ/DUVdsDEfMuy7cK+CyoNaLaHGATPtxCl Z8rRWLGftqPLDeEHgNm4Xt/6brK9HAq2W5LToxopw5LAl7Ny4+Na0BK7cMMJ/eX55MMD S4+KVJ6JNe65C3dzQG3Yb67A0NzdUzBHEU73BtjAT99PRX4r963F/sQgvmM3TWkiQigZ DsEkKrqH+BiHkBIB93BirxPyW84cpeNTBqNGma/lT6fdmSx7/g2mBd+stb0UlpQmteiu zshYK1ltcuXMS1Bl/QWXj8VYYYpgBalLpzFyLs/56VMN+BgbeDzk4ZhThToj7jEFJ1pC GTtQ== X-Gm-Message-State: AIkVDXItb9b79JcPAZqNFDkpeSaPNJQX7NCvrgdVpdOgiRE6EhHb2ek5uMiEkFJPQtfFav1km9b2q4HuP3WuHQ88 X-Received: by 10.55.162.86 with SMTP id l83mr58914292qke.17.1483419911097; Mon, 02 Jan 2017 21:05:11 -0800 (PST) MIME-Version: 1.0 Received: by 10.12.130.133 with HTTP; Mon, 2 Jan 2017 21:04:50 -0800 (PST) In-Reply-To: <6A91D4E4-750D-42C0-B593-3D5014B8A3F7@xbt.hk> References: <400152B9-1838-432A-829E-13E4FC54320C@gmail.com> <6A91D4E4-750D-42C0-B593-3D5014B8A3F7@xbt.hk> From: "Russell O'Connor" Date: Tue, 3 Jan 2017 00:04:50 -0500 Message-ID: To: Bitcoin Protocol Discussion Content-Type: multipart/alternative; boundary=001a114fe106daa4c90545299cf2 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, HTML_MESSAGE, RCVD_IN_DNSWL_LOW, RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: Re: [bitcoin-dev] Script Abuse Potential? X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 03 Jan 2017 05:05:12 -0000 --001a114fe106daa4c90545299cf2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable OP_2DUP? Why not OP_3DUP? On Mon, Jan 2, 2017 at 10:39 PM, Johnson Lau via bitcoin-dev < bitcoin-dev@lists.linuxfoundation.org> wrote: > No, there could only have not more than 201 opcodes in a script. So you > may have 198 OP_2DUP at most, i.e. 198 * 520 * 2 =3D 206kB > > For OP_CAT, just check if the returned item is within the 520 bytes limit= . > > On 3 Jan 2017, at 11:27, Jeremy via bitcoin-dev linuxfoundation.org> wrote: > > It is an unfortunate script, but can't actually > =E2=80=8Bdo > that much > =E2=80=8B it seems=E2=80=8B > . The MAX_SCRIPT_ELEMENT_SIZE =3D 520 Bytes. > =E2=80=8B Thus, it would seem the worst you could do with this would be t= o (10000-520*2)*520*2 > bytes ~=3D~ 10 MB. > > =E2=80=8BMuch more concerning would be the op_dup/op_cat style bug, which= under a > similar script =E2=80=8Bwould certainly cause out of memory errors :) > > > > -- > @JeremyRubin > > > On Mon, Jan 2, 2017 at 4:39 PM, Steve Davis via bitcoin-dev < > bitcoin-dev@lists.linuxfoundation.org> wrote: > >> Hi all, >> >> Suppose someone were to use the following pk_script: >> >> [op_2dup, op_2dup, op_2dup, op_2dup, op_2dup, ...(to limit)..., >> op_2dup, op_hash160, , op_equalverify, op_checksig] >> >> This still seems to be valid AFAICS, and may be a potential attack vecto= r? >> >> Thanks. >> >> >> _______________________________________________ >> bitcoin-dev mailing list >> bitcoin-dev@lists.linuxfoundation.org >> https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev >> >> > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > > > _______________________________________________ > bitcoin-dev mailing list > bitcoin-dev@lists.linuxfoundation.org > https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev > > --001a114fe106daa4c90545299cf2 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
OP_2DUP?=C2=A0 Why not OP_3DUP?

On Mon, Jan 2, 2017 at 10:39 PM, J= ohnson Lau via bitcoin-dev <bitcoin-dev@lists.linuxfou= ndation.org> wrote:
No, there could only have not more than 2= 01 opcodes in a script. So you may have 198 OP_2DUP at most, i.e. 198 * 520= * 2 =3D 206kB

For OP_CAT, just check if the retur= ned item is within the 520 bytes limit.

On 3 Jan 2017, at 11:27, Jeremy via bitcoi= n-dev <bitcoin-dev@lists.linuxfoundation.org> wrote:
=
It is an unfortunate scrip= t, but can't actually=C2=A0
=E2=80=8Bdo
=C2=A0that much
=E2=80=8B it seems= =E2=80=8B
. The MAX_SCRIPT_ELEMENT_SIZE =3D 520 B= ytes.
=E2=80=8B Thus, it would seem the w= orst you could do with this would be to=C2=A0(10000-520*2)*520*2 byt= es =C2=A0~=3D~ 10 MB.

=E2=80=8BMuch more concerning would be the op_dup/op_cat style bug, whi= ch under a similar script =E2=80=8Bwould certainly cause out of memory erro= rs :)




On Mon, Jan 2, 2017 at 4:39 PM, Steve Davis = via bitcoin-dev <bitcoin-dev@lists.linuxfoundatio= n.org> wrote:
Hi all,

Suppose someone were to use the followi= ng pk_script:

[op_2dup, op_2dup, op_2dup, op_2dup, op_2dup, ..= .(to limit)..., op_2dup,=C2=A0op_hash160, <addr_hash>, op_equalverify= , op_checksig]

This still seems to be = valid AFAICS, and may be a potential attack vector?

Thanks.


_______________________= ________________________
bitcoin-dev mailing list
= bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org= /mailman/listinfo/bitcoin-dev


_______________________________________________
bitcoin-dev mailing= list
bitcoin-dev@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev<= /a>


_________________= ______________________________
bitcoin-dev mailing list
bitcoin-dev@lists.= linuxfoundation.org
https://lists.linuxfoundation.org= /mailman/listinfo/bitcoin-dev


--001a114fe106daa4c90545299cf2--