bolt11: avoid reading uninitialized memory

If both databits and *data_len are 0, pull_uint returns unitialized stack memory in *val. Detected by valgrind and UBSan. valgrind: ==225078== Use of uninitialised value of size 8 ==225078== __sanitizer_cov_trace_cmp8 ==225078== decode_c (bolt11.c:294) ==225078== bolt11_decode_nosig (bolt11.c:881) ==225078== bolt11_decode (bolt11.c:945) UBSan: common/bolt11.c:79:29: runtime error: shift exponent 64 is too large for 64-bit type 'uint64_t'
ElementsProject · Oct 15, 2023 · 440fe8c · 440fe8c
1 parent 386d01d
commit 440fe8c
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 1 deletion.
diff --git a/common/bolt11.c b/common/bolt11.c
@@ -76,7 +76,11 @@ static const char *pull_uint(struct hash_u5 *hu5,
 	err = pull_bits(hu5, data, data_len, &be_val, databits, true);
 	if (err)
 		return err;
-	*val = be64_to_cpu(be_val) >> (sizeof(be_val) * CHAR_BIT - databits);
+	if (databits == 0)
+		*val = 0;
+	else
+		*val = be64_to_cpu(be_val) >>
+		       (sizeof(be_val) * CHAR_BIT - databits);
 	return NULL;
 }
 

diff --git a/tests/fuzz/corpora/fuzz-bolt11-decode/crash-ad3693f6c454ce739ca67a4aff234cb3f3f598b5 b/tests/fuzz/corpora/fuzz-bolt11-decode/crash-ad3693f6c454ce739ca67a4aff234cb3f3f598b5
@@ -0,0 +1 @@
+lnltc1zzzzzAzcQQQQQZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZXZZZZZZZZZZZZZZZZZJZZZZZZZZZZzzzZZZZZZZZ
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		lnltc1zzzzzAzcQQQQQZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZXZZZZZZZZZZZZZZZZZJZZZZZZZZZZzzzZZZZZZZZ