fix: limit signing share sessions per peer

[thepastaclaw]

fix: limit signing share sessions per peer

Issue being fixed or feature implemented

Peers can announce many distinct QSIGSESANN signing sessions. Without a per-peer
cap, a peer can make its node state grow with announcement-only sessions.

What was done?

• Add a per-peer limit for sessions created from QSIGSESANN announcements.
• Preserve refresh of an already-known session so normal re-announcements remain
  accepted.
• Seed the existing session timeout state for newly announced sessions, without
  refreshing that timeout on repeated announcements.
• Add unit coverage for the session cap helper.

How Has This Been Tested?

Tested on macOS arm64.

• git diff --check upstream/develop...HEAD
• make -j8 src/test/test_dash
• src/test/test_dash --run_test=llmq_signing_shares_tests
• Pre-PR code review gate: ship

Breaking Changes

None.

Checklist

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added or updated relevant unit/integration/functional/e2e tests
• I have made corresponding changes to the documentation
• I have assigned this pull request to a milestone

[thepastaclaw]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: b8a999b3-bbb8-4676-ae65-0990a1a30f6e

📥 Commits

Reviewing files that changed from the base of the PR and between 03dddee and 76a6fd7.

📒 Files selected for processing (1)

• src/llmq/signing_shares.cpp

🚧 Files skipped from review as they are similar to previous changes (1)

• src/llmq/signing_shares.cpp

---

Walkthrough

This PR enforces per-peer session limits for LLMQ signing shares. It adds GetMaxSessionsForPeer and related constants, four [[nodiscard]] CSigSharesNodeState query methods, and marks sessions that received announcements. ProcessMessageSigSesAnn now fetches LLMQ params, computes a per-peer maxSessions, rejects announcements exceeding the cap with logging, and records time-seen entries for accepted sign hashes. Cleanup now also considers sign hashes in timeSeenForSessions when removing recovered sessions. Unit tests verify limit enforcement, refresh semantics, send-only session exclusions, and per-LLMQType scoping.

Sequence Diagram(s)

sequenceDiagram
  participant Peer
  participant CSigSharesManager
  participant CSigSharesNodeState
  participant TimeSeenStore

  Peer->>CSigSharesManager: CSigSesAnn(llmqType, signHash)
  CSigSharesManager->>CSigSharesManager: Params().GetLLMQ(llmqType)
  CSigSharesManager->>CSigSharesNodeState: CanCreateSessionFromAnn(ann, maxSessions)
  alt below cap
    CSigSharesNodeState-->>CSigSharesManager: true
    CSigSharesManager->>TimeSeenStore: timeSeenForSessions.try_emplace(signHash)
    CSigSharesManager-->>Peer: accept announcement
  else at or over cap
    CSigSharesNodeState-->>CSigSharesManager: false
    CSigSharesManager-->>Peer: reject announcement (logged)
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested reviewers

• UdjinM6
• PastaPastaPasta

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 5.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately reflects the main change: adding per-peer limits for signing share sessions from LLMQ announcements.
Description check	✅ Passed	The description clearly relates to the changeset, explaining the issue being fixed (unbounded session growth), the solution implemented, testing performed, and confirming no breaking changes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ No Merge Conflicts Detected

This PR currently has no conflicts with other open PRs.

[thepastaclaw]

@coderabbitai review

[thepastaclaw]

Follow-up pushed in f54c9b7: kept the per-peer signing-session cap bounded, but added a minimum cap of 100 sessions so small test/devnet quorums do not exhaust the limit during normal ChainLock/InstantSend bursts before session cleanup runs.

Validation:

• make -C src -j8 test/llmq_signing_shares_tests.cpp.test test/test_dash
• src/test/test_dash --run_test=llmq_signing_shares_tests --catch_system_errors=no
• src/test/test_dash --run_test=evo_dip3_activation_tests/verify_db_legacy --catch_system_errors=no
• test/functional/feature_llmq_chainlocks.py --configfile=$(pwd)/test/config.ini --tmpdir=/tmp/pr7351-chainlocks-test could not run locally because this worktree was built without wallet support; CI will cover the wallet functional path.

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

@thepastaclaw Thanks for the follow-up — the minimum-cap floor of 100 sessions is a sensible guard for small test/devnet quorums. Triggering a review of commit f54c9b7 now.

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[thepastaclaw]

CI follow-up pushed in e5e8d1e84e.

What changed:

• Kept the per-peer qsigsesann cap, but ensured small/regtest LLMQs have a safe minimum session allowance so legitimate ChainLocks/InstantSend signing bursts are not rejected.
• Added cleanup for announced sessions whose recovered signature already exists even when there are no retained sig shares for that session, so recovered sessions do not linger against the per-peer cap until timeout.
• Kept the focused llmq_signing_shares_tests coverage for enforcing the cap while allowing refreshes of existing sessions.

Validation:

• make -j8
• src/test/test_dash --run_test=llmq_signing_shares_tests --catch_system_errors=no
• src/test/test_dash --run_test=evo_dip3_activation_tests/verify_db_legacy --catch_system_errors=no
• git diff --check

Note: the prior feature_llmq_chainlocks.py failures were on old head 99be9334cd; the updated head is e5e8d1e84e and CI has been retriggered by the push.

[thepastaclaw]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[thepastaclaw]

✅ Review complete (commit 76a6fd7)

[thepastaclaw]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[thepastaclaw]

Follow-up pushed in 6595948 to avoid the src/Makefile.test.include predict-conflicts failure: the new signing-share session-cap unit coverage now lives in existing llmq_utils_tests.cpp instead of adding a new test translation unit.\n\nValidation: src/test/test_dash --run_test=llmq_utils_tests passed locally.\n\n ✅ Review complete (commit 6595948)\n\nAutomated code review verdict: ship.

[thepastaclaw]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 6595948482

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Preserve announcement-only session expiry on refresh

When a peer periodically re-announces an already-known QSIGSESANN before SESSION_NEW_SHARES_TIMEOUT, insert_or_assign refreshes timeSeenForSessions, and cleanup only expires sessions by comparing the current time to that stored value. That lets announcement-only sessions stay alive indefinitely, so an attacker can keep its capped session slots and the corresponding per-peer state pinned forever; seed this timestamp only when the signHash is first inserted rather than on refresh.

Useful? React with 👍 / 👎.

[thepastaclaw]

Addressed in f6aa12a: QSIGSESANN announcements now seed timeSeenForSessions only on first insert (try_emplace) instead of refreshing it on repeat announcements. Actual sig-share receipt still refreshes the timestamp via ProcessSigShare, so announcement-only sessions expire normally.

[thepastaclaw]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f6aa12a20f

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Count only announcement-created sessions in the cap

When this node already has maxSessions sessions for a peer that were created locally for outgoing traffic (for example CollectSigSharesToAnnounce calls GetOrCreateSessionFromShare for that peer before SendMessages assigns a send session), this count rejects the peer's first unrelated QSIGSESANN even though the new limit is meant to constrain sessions created from announcements. NetSigning::ProcessMessage treats this false return as a ban, so under a busy signing backlog an honest peer can be banned because our own send-side sessions filled the per-peer count; the cap should exclude send-only sessions or track announcement-created sessions separately.

Useful? React with 👍 / 👎.

[thepastaclaw]

Addressed in 03dddee: the session cap now counts only sessions that were actually introduced by QSIGSESANN announcements. Send-only sessions created locally via sig shares no longer consume the announcement-session budget, while existing-session announcements are still accepted and then marked as announcement-backed.

Validation:

• git diff --check
• make -C src -j8 test/test_dash
• src/test/test_dash --run_test=llmq_utils_tests --catch_system_errors=no

[thepastaclaw]

Follow-up pushed in 03dddeea35 for the latest automated review: the QSIGSESANN cap now counts only sessions that were received via announcements, so locally-created send-side sessions do not cause an honest peer's first unrelated announcement to be rejected.

Validation:

• git diff --check
• make -C src -j8 test/test_dash
• src/test/test_dash --run_test=llmq_utils_tests --catch_system_errors=no

[thepastaclaw]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[UdjinM6]

Not sure we should ban here. Wouldn't ignoring it be safer?

Suggested change

	return false;
	return true;

[UdjinM6]

utACK 76a6fd7

[thepastaclaw]

Code Review

Targeted DoS-hardening change with appropriate scope and unit coverage. No correctness or security issues. Three nitpick-level observations from Claude on documentation, an O(n) scan on a hot path, and operation sequencing — none block the PR.

💬 3 nitpick(s)

[thepastaclaw]

💬 Nitpick: Document the cap factor and floor

MAX_SESSIONS_PER_PEER_FACTOR{4} and MIN_SESSIONS_PER_PEER{100} lack any rationale. With LLMQ_400_* (size=400) the per-peer cap is 1600 announcement-derived sessions; each Session carries three quorum-sized CSigSharesInv bitsets plus several uint256s and a CQuorumCPtr. A short comment tying these constants to the threat model in the PR description would help future maintainers reason about adjustments and explain why the 100 floor exists even though no current LLMQ size requires it.

_{source: ['claude']}

[thepastaclaw]

💬 Nitpick: Linear scan per announcement, recomputed on rejection

GetAnnouncementSessionCount(llmqType) is O(n) over sessions and runs from CanCreateSessionFromAnn on every QSIGSESANN. On the rejection path it is then recomputed for the LogPrint at line 266, doubling the cost exactly when a peer is being throttled. A per-llmq-type counter on CSigSharesNodeState (maintained when receivedAnnouncement transitions false→true and on session removal) would make admission O(1). At minimum, cache the count in a local in ProcessMessageSigSesAnn so the rejection log reuses it.

_{source: ['claude']}

[thepastaclaw]

💬 Nitpick: Quorum lookup precedes the cap check

qman.GetQuorum(llmqType, ann.getQuorumHash()) runs at line 253, before the per-peer cap check at line 264. A peer flooding QSIGSESANN with valid quorum hashes still pays the quorum-lookup cost on every announcement after it has been throttled. Moving the cap gate ahead of the quorum resolution (the gate only needs the llmqType and the existing cs lock) would make the throttle cheaper to enforce. Minor sequencing improvement that compounds with addressing the linear scan above.

_{source: ['claude']}