Skip to content

Commit

Permalink
bolt11: validate recovery ID
Browse files Browse the repository at this point in the history 
Invalid recovery IDs cause
secp256k1_ecdsa_recoverable_signature_parse_compact to abort, which
crashes the entire node. We should return an error instead.

Detected by libFuzzer:
[libsecp256k1] illegal argument: recid >= 0 && recid <= 3
  • Loading branch information
@morehouse @rustyrussell
morehouse authored and rustyrussell committed Oct 15, 2023
1 parent 88ce922 commit 486fef5
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 0 deletions.
6 changes: 6 additions & 0 deletions common/bolt11.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -917,6 +917,8 @@ struct bolt11 *bolt11_decode_nosig(const tal_t *ctx, const char *str,
return b11;
}

static bool valid_recovery_id(u8 recid) { return recid <= 3; }

/* Decodes and checks signature; returns NULL on error. */
struct bolt11 *bolt11_decode(const tal_t *ctx, const char *str,
const struct feature_set *our_features,
Expand Down Expand Up @@ -957,6 +959,10 @@ struct bolt11 *bolt11_decode(const tal_t *ctx, const char *str,

assert(data_len == 0);

if (!valid_recovery_id(sig_and_recid[64]))
return decode_fail(b11, fail, "invalid recovery ID: %u",
sig_and_recid[64]);

if (!secp256k1_ecdsa_recoverable_signature_parse_compact
(secp256k1_ctx, &sig, sig_and_recid, sig_and_recid[64]))
return decode_fail(b11, fail, "signature invalid");
Expand Down
1 change: 1 addition & 0 deletions tests/fuzz/corpora/fuzz-bolt11-decode/crash-90ba6bcd63aa79a19b2df3d58a4fa0c4193614f0
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
lntltc1UZZZZQQDQQpp5pppppppppppppppppZZZZZZZZZZZZQQQQQQQQQQQQQQQQQQQQQQQQQQQQQAQQQQQQQQQQQQQQQQZZZZZZZZZZZZZZZZZZZZZZZppppppppppppppppppppppppppppppppppppZZZZZZZZZZZZZZZZZZZZZZZZtltc

0 comments on commit 486fef5

Please sign in to comment.