Use a BoundedVec in ValidationResult (#6603)

* Use a `BoundedVec` in `ValidationResult`

> Use a `BoundedVec` for `upward_messages` and `horizontal_messages` in order to
> limit the number of individual messages/memory allocations right at decoding
> time. The reason for this is that the `ValidationResult` may contain a code
> upgrade (including a full PVF binary), so the total size limit can't be set
> too low and this limit will still allow several millions of upward messages,
> which will (due to the memory allocator overhead) already have a
> non-negligible memory footprint in decoded form.

* List all fields when hashing so we don't miss one

* Define types for  `BoundedVec`s of messages

* Fix test compile errors

* Depend on `bounded-collections` 0.1.4 (fixes allocation issue)

* Fix compilation issue

* Derive `Hash` instead of manual `impl`

* Avoid use of unwrap

polkadot/parachain/Cargo.toml

@@ -17,6 +17,7 @@ sp-core = { git = "https://github.com/paritytech/substrate", branch = "master",
 frame-support = { git = "https://github.com/paritytech/substrate", branch = "master", default-features = false }
 polkadot-core-primitives = { path = "../core-primitives", default-features = false }
 derive_more = "0.99.11"
+bounded-collections = { version = "0.1.5", default-features = false }
 
 # all optional crates.
 serde = { version = "1.0.137", default-features = false, features = [ "derive" ], optional = true }
@@ -25,6 +26,7 @@ serde = { version = "1.0.137", default-features = false, features = [ "derive" ]
 default = ["std"]
 wasm-api = []
 std = [
+	"bounded-collections/std",
 	"parity-scale-codec/std",
 	"scale-info/std",
 	"serde/std",

polkadot/parachain/src/primitives.rs

@@ -19,6 +19,7 @@
 
 use sp_std::vec::Vec;
 
+use bounded_collections::{BoundedVec, ConstU32};
 use frame_support::weights::Weight;
 use parity_scale_codec::{CompactAs, Decode, Encode, MaxEncodedLen};
 use scale_info::TypeInfo;
@@ -361,6 +362,22 @@ pub struct ValidationParams {
 	pub relay_parent_storage_root: Hash,
 }
 
+/// Maximum number of HRMP messages allowed per candidate.
+///
+/// We also use this as a generous limit, which still prevents possible memory exhaustion, from
+/// malicious parachains that may otherwise return a huge amount of messages in `ValidationResult`.
+pub const MAX_HORIZONTAL_MESSAGE_NUM: u32 = 16 * 1024;
+/// Maximum number of UMP messages allowed per candidate.
+///
+/// We also use this as a generous limit, which still prevents possible memory exhaustion, from
+/// malicious parachains that may otherwise return a huge amount of messages in `ValidationResult`.
+pub const MAX_UPWARD_MESSAGE_NUM: u32 = 16 * 1024;
+
+pub type UpwardMessages = BoundedVec<UpwardMessage, ConstU32<MAX_UPWARD_MESSAGE_NUM>>;
+
+pub type HorizontalMessages =
+	BoundedVec<OutboundHrmpMessage<Id>, ConstU32<MAX_HORIZONTAL_MESSAGE_NUM>>;
+
 /// The result of parachain validation.
 // TODO: balance uploads (https://github.com/paritytech/polkadot/issues/220)
 #[derive(PartialEq, Eq, Clone, Encode)]
@@ -371,9 +388,9 @@ pub struct ValidationResult {
 	/// An update to the validation code that should be scheduled in the relay chain.
 	pub new_validation_code: Option<ValidationCode>,
 	/// Upward messages send by the Parachain.
-	pub upward_messages: Vec<UpwardMessage>,
+	pub upward_messages: UpwardMessages,
 	/// Outbound horizontal messages sent by the parachain.
-	pub horizontal_messages: Vec<OutboundHrmpMessage<Id>>,
+	pub horizontal_messages: HorizontalMessages,
 	/// Number of downward messages that were processed by the Parachain.
 	///
 	/// It is expected that the Parachain processes them from first to last.

polkadot/parachain/test-parachains/adder/collator/src/lib.rs

@@ -172,8 +172,8 @@ impl Collator {
 			let pov = PoV { block_data: block_data.encode().into() };
 
 			let collation = Collation {
-				upward_messages: Vec::new(),
-				horizontal_messages: Vec::new(),
+				upward_messages: Default::default(),
+				horizontal_messages: Default::default(),
 				new_validation_code: None,
 				head_data: head_data.encode().into(),
 				proof_of_validity: MaybeCompressedPoV::Raw(pov.clone()),

polkadot/parachain/test-parachains/adder/src/wasm_validation.rs

@@ -37,8 +37,10 @@ pub extern "C" fn validate_block(params: *const u8, len: usize) -> u64 {
 	parachain::write_result(&ValidationResult {
 		head_data: GenericHeadData(new_head.encode()),
 		new_validation_code: None,
-		upward_messages: sp_std::vec::Vec::new(),
-		horizontal_messages: sp_std::vec::Vec::new(),
+		upward_messages: sp_std::vec::Vec::new().try_into().expect("empty vec fits into bounds"),
+		horizontal_messages: sp_std::vec::Vec::new()
+			.try_into()
+			.expect("empty vec fits into bounds"),
 		processed_downward_messages: 0,
 		hrmp_watermark: params.relay_parent_number,
 	})

polkadot/parachain/test-parachains/undying/collator/src/lib.rs

@@ -247,8 +247,8 @@ impl Collator {
 			let pov = PoV { block_data: block_data.encode().into() };
 
 			let collation = Collation {
-				upward_messages: Vec::new(),
-				horizontal_messages: Vec::new(),
+				upward_messages: Default::default(),
+				horizontal_messages: Default::default(),
 				new_validation_code: None,
 				head_data: head_data.encode().into(),
 				proof_of_validity: MaybeCompressedPoV::Raw(pov.clone()),

polkadot/parachain/test-parachains/undying/src/wasm_validation.rs

@@ -37,8 +37,10 @@ pub extern "C" fn validate_block(params: *const u8, len: usize) -> u64 {
 	parachain::write_result(&ValidationResult {
 		head_data: GenericHeadData(new_head.encode()),
 		new_validation_code: None,
-		upward_messages: sp_std::vec::Vec::new(),
-		horizontal_messages: sp_std::vec::Vec::new(),
+		upward_messages: sp_std::vec::Vec::new().try_into().expect("empty vec fits within bounds"),
+		horizontal_messages: sp_std::vec::Vec::new()
+			.try_into()
+			.expect("empty vec fits within bounds"),
 		processed_downward_messages: 0,
 		hrmp_watermark: params.relay_parent_number,
 	})