Reject trailing bytes in LeaderResponse body decode

antoineleclair · claude · antoineleclair · commit 8a5a403724bc · 2026-04-21T17:35:57.000-04:00
Both LeaderResponse.decode_body (modern node_id + address) and
decode_body_legacy (address-only, pre-1.0 servers) discarded the
consumed-byte count from decode_text and never verified the buffer
was fully consumed. Trailing bytes after the padded address were
silently dropped — the last variable-length cluster-topology
decoders still permissive after the strict-decode sweep.

LeaderResponse feeds ClusterClient.find_leader, which uses the
advertised address to open a new connection. Corrupt frames with
trailing garbage previously consumed subsequent messages' framing
and produced symptoms far from the cause; reject them at the
decoder boundary instead.

Tests pin exact-body round-trips and trailing-byte rejection for
both schemas.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/dqlitewire/messages/responses.py b/src/dqlitewire/messages/responses.py
@@ -153,11 +153,18 @@ def decode_body(cls, data: bytes, schema: int = 0) -> "LeaderResponse":
         node_id, use decode_body_legacy() instead.
         """
         node_id = decode_uint64(data)
-        address, _ = decode_text(data[8:])
+        address, consumed = decode_text(data[8:])
         if len(address) > _MAX_ADDRESS_SIZE:
             raise DecodeError(
                 f"leader address length {len(address)} exceeds maximum {_MAX_ADDRESS_SIZE}"
             )
+        offset = 8 + consumed
+        if offset != len(data):
+            # Strict-decode parity with sibling decoders: conforming
+            # Go/C servers never emit trailing padding on this body.
+            raise DecodeError(
+                f"LeaderResponse has {len(data) - offset} trailing bytes after address"
+            )
         return cls(node_id, _sanitize_server_text(address))
 
     @classmethod
@@ -167,11 +174,15 @@ def decode_body_legacy(cls, data: bytes) -> "LeaderResponse":
         Legacy format: text address only (no node_id). Returns node_id=0.
         Go reference: DecodeNodeLegacy in internal/protocol/message.go.
         """
-        address, _ = decode_text(data)
+        address, consumed = decode_text(data)
         if len(address) > _MAX_ADDRESS_SIZE:
             raise DecodeError(
                 f"leader address length {len(address)} exceeds maximum {_MAX_ADDRESS_SIZE}"
             )
+        if consumed != len(data):
+            raise DecodeError(
+                f"LeaderResponse (legacy) has {len(data) - consumed} trailing bytes after address"
+            )
         return cls(node_id=0, address=_sanitize_server_text(address))
 
 
diff --git a/tests/test_responses_strict_length.py b/tests/test_responses_strict_length.py
@@ -235,6 +235,63 @@ def test_empty_list_trailing_bytes_rejected(self) -> None:
             ServersResponse.decode_body(body)
 
 
+class TestLeaderResponseStrictLength:
+    """Modern body: uint64 node_id + padded text address. Legacy body:
+    padded text address only. Trailing bytes after the address had
+    been silently dropped."""
+
+    @staticmethod
+    def _modern_body(node_id: int = 7, addr: str = "1.2.3.4:9001") -> bytes:
+        from dqlitewire.types import encode_text, encode_uint64
+
+        return encode_uint64(node_id) + encode_text(addr)
+
+    def test_modern_exact_round_trip(self) -> None:
+        from dqlitewire.messages.responses import LeaderResponse
+
+        msg = LeaderResponse.decode_body(self._modern_body())
+        assert msg.node_id == 7
+        assert msg.address == "1.2.3.4:9001"
+
+    def test_modern_trailing_byte_rejected(self) -> None:
+        from dqlitewire.messages.responses import LeaderResponse
+
+        body = self._modern_body() + b"\x01"
+        with pytest.raises(DecodeError, match=r"LeaderResponse has 1 trailing byte"):
+            LeaderResponse.decode_body(body)
+
+    def test_modern_trailing_word_rejected(self) -> None:
+        from dqlitewire.messages.responses import LeaderResponse
+
+        body = self._modern_body() + b"\x00" * 8
+        with pytest.raises(DecodeError, match=r"LeaderResponse has 8 trailing byte"):
+            LeaderResponse.decode_body(body)
+
+    def test_legacy_exact_round_trip(self) -> None:
+        from dqlitewire.messages.responses import LeaderResponse
+        from dqlitewire.types import encode_text
+
+        msg = LeaderResponse.decode_body_legacy(encode_text("10.0.0.1:9001"))
+        assert msg.node_id == 0
+        assert msg.address == "10.0.0.1:9001"
+
+    def test_legacy_trailing_byte_rejected(self) -> None:
+        from dqlitewire.messages.responses import LeaderResponse
+        from dqlitewire.types import encode_text
+
+        body = encode_text("10.0.0.1:9001") + b"\x01"
+        with pytest.raises(DecodeError, match=r"LeaderResponse \(legacy\) has 1 trailing byte"):
+            LeaderResponse.decode_body_legacy(body)
+
+    def test_legacy_trailing_word_rejected(self) -> None:
+        from dqlitewire.messages.responses import LeaderResponse
+        from dqlitewire.types import encode_text
+
+        body = encode_text("10.0.0.1:9001") + b"\x00" * 8
+        with pytest.raises(DecodeError, match=r"LeaderResponse \(legacy\) has 8 trailing byte"):
+            LeaderResponse.decode_body_legacy(body)
+
+
 class TestMetadataResponseStrictLength:
     """Body is two uint64s (failure_domain + weight) — exactly 16 bytes."""
 
