fix: guard nil syncer dereference in statesync Reactor.Receive (backport #2883)#2931
Merged
rootulp merged 2 commits intov0.39.x-celestiafrom Apr 17, 2026
Merged
Conversation
Closes https://dashboard.hackenproof.com/manager/companies/celestia/celestia/reports/CELESTIA-239 ## Summary - A connected P2P peer could crash any non-state-syncing node (the default operating mode) by sending a single `SnapshotsResponse` with `Chunks > MaxSnapshotChunks`. The `validateMsg` error path in `Reactor.Receive` called `r.syncer.RejectPeer()` before checking whether `r.syncer` was nil, causing an unrecovered panic that terminates the node process. - Added a nil guard with mutex protection around the `RejectPeer` call so oversized snapshot messages are safely rejected when no state sync is active. - Added a regression test that confirms the panic without the fix and passes with it. ## Test plan - [x] New test `TestReactor_Receive_OversizedSnapshotResponse_NilSyncer` verifies no panic when `r.syncer` is nil and an oversized `SnapshotsResponse` is received - [x] Full `./statesync/...` test suite passes - [x] `go vet ./statesync/...` clean 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- devin-review-badge-begin --> --- <a href="https://app.devin.ai/review/celestiaorg/celestia-core/pull/2883" target="_blank"> <picture> <source media="(prefers-color-scheme: dark)" srcset="https://static.devin.ai/assets/gh-open-in-devin-review-dark.svg?v=1"> <img src="https://static.devin.ai/assets/gh-open-in-devin-review-light.svg?v=1" alt="Open with Devin"> </picture> </a> <!-- devin-review-badge-end --> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> (cherry picked from commit 2ac43b1)
mergify
Bot
requested review from
evan-forbes,
mcrakhman,
ninabarbakadze and
rach-id
as code owners
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
Comment on lines
+1
to
+3
| - `[statesync]` Guard against nil syncer dereference in Reactor.Receive | ||
| when processing oversized SnapshotsResponse messages while no state sync | ||
| is in progress. |
There was a problem hiding this comment.
🟡 Changelog filename missing required issue/PR number prefix
Both CONTRIBUTING.md and CLAUDE.md mandate that changelog entries follow the naming pattern {issue-or-pr-number}-{description}.md. The file statesync-nil-syncer-panic.md is missing the PR number prefix. All released changelog entries in the repo consistently use a number prefix (e.g., 2913-mempool-user-tx-latency-metric.md, 3092-consensus-timeout-ticker-data-race.md). This PR is #2931, so the file should be named 2931-statesync-nil-syncer-panic.md.
Prompt for agents
The changelog file at .changelog/unreleased/bug-fixes/statesync-nil-syncer-panic.md needs to be renamed to include the PR number as a prefix, per the conventions in CONTRIBUTING.md and CLAUDE.md. The file should be renamed to .changelog/unreleased/bug-fixes/2931-statesync-nil-syncer-panic.md (or use the relevant issue number if one exists). This is a file rename, not a content change.
Was this helpful? React with 👍 or 👎 to provide feedback.
ninabarbakadze
approved these changes
Apr 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes https://dashboard.hackenproof.com/manager/companies/celestia/celestia/reports/CELESTIA-239
Summary
SnapshotsResponsewithChunks > MaxSnapshotChunks. ThevalidateMsgerror path inReactor.Receivecalledr.syncer.RejectPeer()before checking whetherr.syncerwas nil, causing an unrecovered panic that terminates the node process.RejectPeercall so oversized snapshot messages are safely rejected when no state sync is active.Test plan
TestReactor_Receive_OversizedSnapshotResponse_NilSyncerverifies no panic whenr.synceris nil and an oversizedSnapshotsResponseis received./statesync/...test suite passesgo vet ./statesync/...clean🤖 Generated with Claude Code
This is an automatic backport of pull request #2883 done by [Mergify](https://mergify.com).