fix: Handle invalid marker parameter in grpc call (#5317)

The `end_marker` is used to limit the range of ledger entries to fetch. If `end_marker` is less than `marker`, a crash can occur. This change adds an additional check.
2025-11-04 11:15:56 +00:00 · 2025-03-18 12:21:33 +00:00
parent d9b7a2688f
commit a7fb8ae915
1 changed files with 14 additions and 7 deletions
--- a/src/xrpld/rpc/handlers/LedgerData.cpp
+++ b/src/xrpld/rpc/handlers/LedgerData.cpp
@@ -170,16 +170,23 @@ doLedgerDataGrpc(
    }

    auto e = ledger->sles.end();
-    if (auto key = uint256::fromVoidChecked(request.end_marker()))
+    if (request.end_marker().size() != 0)
    {
+        auto const key = uint256::fromVoidChecked(request.end_marker());
+
+        if (!key)
+            return {
+                response,
+                {grpc::StatusCode::INVALID_ARGUMENT, "end marker malformed"}};
+
+        if (*key < startKey)
+            return {
+                response,
+                {grpc::StatusCode::INVALID_ARGUMENT,
+                 "end marker out of range"}};
+
        e = ledger->sles.upper_bound(*key);
    }
-    else if (request.end_marker().size() != 0)
-    {
-        grpc::Status errorStatus{
-            grpc::StatusCode::INVALID_ARGUMENT, "end marker malformed"};
-        return {response, errorStatus};
-    }

    int maxLimit = RPC::Tuning::pageLength(true);