Reject trailing bytes in StmtResponse body decode

StmtResponse was the last fixed-body response still accepting oversized
bodies via a minimum-length check. Every sibling (DbResponse,
EmptyResponse, ResultResponse, FilesResponse) already enforces exact
length. Align on the strict-decode policy: schema-0 bodies must be
exactly 16 bytes, schema-1 bodies exactly 24 bytes — extra trailing
bytes are now refused rather than silently discarded.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: antoineleclair

src/dqlitewire/messages/responses.py

@@ -261,9 +261,10 @@ def encode_body(self) -> bytes:
     @classmethod
     def decode_body(cls, data: bytes, schema: int = 0) -> "StmtResponse":
         expected = 24 if schema >= 1 else 16
-        if len(data) < expected:
+        if len(data) != expected:
             raise DecodeError(
-                f"StmtResponse schema={schema} requires at least {expected} bytes, got {len(data)}"
+                f"StmtResponse schema={schema} body must be exactly {expected} bytes, "
+                f"got {len(data)}"
             )
         db_id = decode_uint32(data)
         stmt_id = decode_uint32(data[4:])

tests/test_codec.py

@@ -999,20 +999,25 @@ def test_max_uint64_roundtrip(self) -> None:
         assert isinstance(decoded, ClientRequest)
         assert decoded.client_id == 2**64 - 1
 
-    def test_stmt_response_v0_with_trailing_data_not_detected_as_v1(self) -> None:
-        """StmtResponse V0 with trailing bytes must not be misdetected as V1."""
+    def test_stmt_response_v0_with_trailing_data_rejected(self) -> None:
+        """StmtResponse V0 with trailing bytes must be rejected outright.
+
+        Previously the schema-aware decode only prevented mis-detection
+        as V1 (tail_offset was forced None). Under strict-length semantics
+        a 24-byte body under schema=0 is itself invalid — the Go/C
+        servers never emit trailing padding on fixed-body responses, and
+        accepting it silently is the same "two states collapsed into one"
+        bug that schema-awareness was meant to fix.
+        """
+        from dqlitewire.exceptions import DecodeError
         from dqlitewire.messages.base import Header
         from dqlitewire.types import encode_uint32, encode_uint64
 
-        # Build a V0 body (16 bytes) + 8 extra trailing bytes (total 24)
-        # Without schema awareness, len >= 24 triggers V1 decode reading garbage tail_offset
         body = encode_uint32(1) + encode_uint32(2) + encode_uint64(3) + b"\x00" * 8
         header = Header(size_words=3, msg_type=5, schema=0)
         data = header.encode() + body
-        decoded = decode_message(data, is_request=False)
-        assert isinstance(decoded, StmtResponse)
-        # With schema=0 in header, tail_offset should NOT be decoded
-        assert decoded.tail_offset is None
+        with pytest.raises(DecodeError, match=r"schema=0 body must be exactly 16 bytes"):
+            decode_message(data, is_request=False)
 
 
 class TestDecoderContinuation:

tests/test_messages_responses.py

@@ -205,8 +205,8 @@ def test_v0_has_no_tail_offset(self) -> None:
         assert decoded.tail_offset is None
 
     def test_schema_0_rejects_short_body(self) -> None:
-        """235: Schema=0 body must be at least 16 bytes."""
-        with pytest.raises(DecodeError, match="requires at least 16 bytes"):
+        """235: Schema=0 body must be exactly 16 bytes."""
+        with pytest.raises(DecodeError, match=r"schema=0 body must be exactly 16 bytes"):
             StmtResponse.decode_body(b"\x00" * 8, schema=0)
 
     def test_schema_1_rejects_v0_length_body(self) -> None:
@@ -218,7 +218,7 @@ def test_schema_1_rejects_v0_length_body(self) -> None:
         """
         v0_body = b"\x01\x00\x00\x00" + b"\x02\x00\x00\x00" + b"\x03" + b"\x00" * 7
         assert len(v0_body) == 16
-        with pytest.raises(DecodeError, match="requires at least 24 bytes"):
+        with pytest.raises(DecodeError, match=r"schema=1 body must be exactly 24 bytes"):
             StmtResponse.decode_body(v0_body, schema=1)
 
     def test_rejects_oversized_num_params(self) -> None:

tests/test_responses_strict_length.py

@@ -14,7 +14,7 @@
 import pytest
 
 from dqlitewire.exceptions import DecodeError
-from dqlitewire.messages.responses import DbResponse, EmptyResponse, ResultResponse
+from dqlitewire.messages.responses import DbResponse, EmptyResponse, ResultResponse, StmtResponse
 
 
 class TestEmptyResponseStrictLength:
@@ -78,3 +78,61 @@ def test_exact_length_accepted(self) -> None:
     def test_trailing_bytes_rejected(self) -> None:
         with pytest.raises(DecodeError, match="ResultResponse body must be exactly 16 bytes"):
             ResultResponse.decode_body(b"\x00" * 17)
+
+
+class TestStmtResponseStrictLength:
+    """StmtResponse carries db_id + stmt_id + num_params (+ optional
+    tail_offset for schema>=1). Body is exactly 16 bytes (schema 0) or
+    24 bytes (schema 1). Trailing bytes had been silently accepted;
+    sibling responses reject them.
+    """
+
+    @staticmethod
+    def _body_schema0(db_id: int = 1, stmt_id: int = 42, num_params: int = 3) -> bytes:
+        return (
+            db_id.to_bytes(4, "little")
+            + stmt_id.to_bytes(4, "little")
+            + num_params.to_bytes(8, "little")
+        )
+
+    @staticmethod
+    def _body_schema1(
+        db_id: int = 1, stmt_id: int = 42, num_params: int = 3, tail_offset: int = 0
+    ) -> bytes:
+        return TestStmtResponseStrictLength._body_schema0(
+            db_id, stmt_id, num_params
+        ) + tail_offset.to_bytes(8, "little")
+
+    def test_short_body_rejected_schema0(self) -> None:
+        with pytest.raises(DecodeError, match=r"StmtResponse schema=0 body must be exactly 16"):
+            StmtResponse.decode_body(b"\x00" * 15, schema=0)
+
+    def test_exact_length_accepted_schema0(self) -> None:
+        msg = StmtResponse.decode_body(self._body_schema0(), schema=0)
+        assert msg.db_id == 1
+        assert msg.stmt_id == 42
+        assert msg.num_params == 3
+        assert msg.tail_offset is None
+
+    def test_trailing_bytes_rejected_schema0(self) -> None:
+        """Previous decoder silently accepted extra bytes; must now
+        raise so a conforming StmtResponse round-trips exactly."""
+        body = self._body_schema0() + b"\x01"
+        with pytest.raises(DecodeError, match=r"StmtResponse schema=0 body must be exactly 16"):
+            StmtResponse.decode_body(body, schema=0)
+
+    def test_short_body_rejected_schema1(self) -> None:
+        with pytest.raises(DecodeError, match=r"StmtResponse schema=1 body must be exactly 24"):
+            StmtResponse.decode_body(b"\x00" * 23, schema=1)
+
+    def test_exact_length_accepted_schema1(self) -> None:
+        msg = StmtResponse.decode_body(self._body_schema1(tail_offset=7), schema=1)
+        assert msg.db_id == 1
+        assert msg.stmt_id == 42
+        assert msg.num_params == 3
+        assert msg.tail_offset == 7
+
+    def test_trailing_bytes_rejected_schema1(self) -> None:
+        body = self._body_schema1() + b"\x02"
+        with pytest.raises(DecodeError, match=r"StmtResponse schema=1 body must be exactly 24"):
+            StmtResponse.decode_body(body, schema=1)