Reject trailing bytes in fixed-length response decoders

EmptyResponse and DbResponse used len(data) < expected guards,
which silently discarded any trailing bytes past the first 8 — a
permissive parse asymmetric with peers like LeaderRequest.decode_body
that already enforce exact-length. ResultResponse had no up-front
length check at all: truncated bodies raised a generic "Need 8 bytes
for uint64" from the primitive decoder (losing the ResultResponse
frame name in the message), and oversized bodies silently succeeded.

Tighten all three to len(data) != N with the message naming the
framed type, and add a strict-length test suite covering short,
exact, trailing-bytes, and trailing-zero inputs so future regressions
fail loudly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: antoineleclair

src/dqlitewire/messages/responses.py

@@ -211,8 +211,8 @@ def encode_body(self) -> bytes:
 
     @classmethod
     def decode_body(cls, data: bytes, schema: int = 0) -> "DbResponse":
-        if len(data) < 8:
-            raise DecodeError(f"DbResponse body must be 8 bytes, got {len(data)}")
+        if len(data) != 8:
+            raise DecodeError(f"DbResponse body must be exactly 8 bytes, got {len(data)}")
         db_id = decode_uint32(data)
         reserved = decode_uint32(data[4:])
         if reserved != 0:
@@ -298,6 +298,8 @@ def encode_body(self) -> bytes:
 
     @classmethod
     def decode_body(cls, data: bytes, schema: int = 0) -> "ResultResponse":
+        if len(data) != 16:
+            raise DecodeError(f"ResultResponse body must be exactly 16 bytes, got {len(data)}")
         last_insert_id = decode_uint64(data)
         rows_affected = decode_uint64(data[8:])
         return cls(last_insert_id, rows_affected)
@@ -558,8 +560,8 @@ def encode_body(self) -> bytes:
 
     @classmethod
     def decode_body(cls, data: bytes, schema: int = 0) -> "EmptyResponse":
-        if len(data) < 8:
-            raise DecodeError(f"EmptyResponse body must be 8 bytes, got {len(data)}")
+        if len(data) != 8:
+            raise DecodeError(f"EmptyResponse body must be exactly 8 bytes, got {len(data)}")
         reserved = decode_uint64(data)
         if reserved != 0:
             raise DecodeError(f"EmptyResponse reserved field must be 0, got {reserved}")

tests/test_responses_strict_length.py

@@ -0,0 +1,80 @@
+"""Fixed-length response decoders must reject trailing bytes.
+
+Strict-parse peers in this module (``LeaderRequest.decode_body``,
+``StmtResponse.decode_body``) assert exact body lengths. The three
+messages audited here previously accepted ``len >= expected``,
+silently ignoring trailing bytes — asymmetric with peers and
+permissive in a way that masks frame-corruption.
+
+Peers of ISSUE-298 / ISSUE-299.
+"""
+
+from __future__ import annotations
+
+import pytest
+
+from dqlitewire.exceptions import DecodeError
+from dqlitewire.messages.responses import DbResponse, EmptyResponse, ResultResponse
+
+
+class TestEmptyResponseStrictLength:
+    def test_short_body_rejected(self) -> None:
+        with pytest.raises(DecodeError, match="EmptyResponse body must be exactly 8 bytes"):
+            EmptyResponse.decode_body(b"\x00" * 7)
+
+    def test_exact_length_accepted(self) -> None:
+        msg = EmptyResponse.decode_body(b"\x00" * 8)
+        assert isinstance(msg, EmptyResponse)
+
+    def test_trailing_bytes_rejected(self) -> None:
+        """16-byte body: decoders used to silently discard the
+        trailing 8 bytes. Must now raise.
+        """
+        with pytest.raises(DecodeError, match="EmptyResponse body must be exactly 8 bytes"):
+            EmptyResponse.decode_body(b"\x00" * 16)
+
+    def test_trailing_zero_bytes_still_rejected(self) -> None:
+        """Trailing zeros look innocuous but must still fail — the
+        decoder should not need to introspect the padding."""
+        with pytest.raises(DecodeError, match="EmptyResponse body must be exactly 8 bytes"):
+            EmptyResponse.decode_body(b"\x00" * 9)
+
+    def test_reserved_nonzero_still_rejected(self) -> None:
+        """Length check comes first; reserved-field check must still
+        apply on exactly-8-byte bodies."""
+        with pytest.raises(DecodeError, match="reserved field must be 0"):
+            EmptyResponse.decode_body(b"\x01" + b"\x00" * 7)
+
+
+class TestDbResponseStrictLength:
+    def test_short_body_rejected(self) -> None:
+        with pytest.raises(DecodeError, match="DbResponse body must be exactly 8 bytes"):
+            DbResponse.decode_body(b"\x00" * 7)
+
+    def test_exact_length_accepted(self) -> None:
+        msg = DbResponse.decode_body(b"\x05\x00\x00\x00" + b"\x00" * 4)
+        assert isinstance(msg, DbResponse)
+        assert msg.db_id == 5
+
+    def test_trailing_bytes_rejected(self) -> None:
+        with pytest.raises(DecodeError, match="DbResponse body must be exactly 8 bytes"):
+            DbResponse.decode_body(b"\x00" * 16)
+
+
+class TestResultResponseStrictLength:
+    def test_short_body_rejected_with_type_name(self) -> None:
+        """Error message names ``ResultResponse``, not just
+        ``uint64`` — so operators reading logs can trace the
+        framed message."""
+        with pytest.raises(DecodeError, match="ResultResponse body must be exactly 16 bytes"):
+            ResultResponse.decode_body(b"\x00" * 15)
+
+    def test_exact_length_accepted(self) -> None:
+        body = (42).to_bytes(8, "little") + (7).to_bytes(8, "little")
+        msg = ResultResponse.decode_body(body)
+        assert msg.last_insert_id == 42
+        assert msg.rows_affected == 7
+
+    def test_trailing_bytes_rejected(self) -> None:
+        with pytest.raises(DecodeError, match="ResultResponse body must be exactly 16 bytes"):
+            ResultResponse.decode_body(b"\x00" * 17)