From 8a9349ae6ec5e1d838342658ed9ae82b63cf050e Mon Sep 17 00:00:00 2001 From: Matt Morehouse Date: Tue, 17 Oct 2023 11:59:21 -0500 Subject: [PATCH] bolt11: don't abort on invalid pubkey Rather than crashing the entire node on invalid pubkey, check the validity of the pubkey in decode_n, and return an error if invalid. Detected by libFuzzer: ==265599== ERROR: libFuzzer: deadly signal #7 abort #8 bolt11_decode common/bolt11.c:999:4 --- common/bolt11.c | 17 +++++++++++++++-- ...ash-c4df1aeeec336a31cb468bef279a490cf472acb2 | 1 + 2 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 tests/fuzz/corpora/fuzz-bolt11/crash-c4df1aeeec336a31cb468bef279a490cf472acb2 diff --git a/common/bolt11.c b/common/bolt11.c index c6eb0bd8f2bc..1a397d339311 100644 --- a/common/bolt11.c +++ b/common/bolt11.c @@ -306,14 +306,27 @@ static const char *decode_n(struct bolt11 *b11, const u5 **data, size_t *field_len, bool *have_n) { + const char *err; + assert(!*have_n); /* BOLT #11: * * A reader... MUST skip over unknown fields, OR an `f` field * with unknown `version`, OR `p`, `h`, `s` or `n` fields that do * NOT have `data_length`s of 52, 52, 52 or 53, respectively. */ - return pull_expected_length(b11, hu5, data, field_len, 53, 'n', - have_n, &b11->receiver_id.k); + err = pull_expected_length(b11, hu5, data, field_len, 53, 'n', have_n, + &b11->receiver_id.k); + + /* If that gave us a node ID, check it. */ + if (*have_n) { + struct pubkey k; + if (!pubkey_from_node_id(&k, &b11->receiver_id)) + return tal_fmt( + b11, "invalid public key %s", + node_id_to_hexstr(tmpctx, &b11->receiver_id)); + } + + return err; } /* BOLT #11: diff --git a/tests/fuzz/corpora/fuzz-bolt11/crash-c4df1aeeec336a31cb468bef279a490cf472acb2 b/tests/fuzz/corpora/fuzz-bolt11/crash-c4df1aeeec336a31cb468bef279a490cf472acb2 new file mode 100644 index 000000000000..f3a145db0575 --- /dev/null +++ b/tests/fuzz/corpora/fuzz-bolt11/crash-c4df1aeeec336a31cb468bef279a490cf472acb2 @@ -0,0 +1 @@ +lnbc1qqqqpqqnp4qqqlftcw9qqqqqqqqqqqqygh9qpp5qpp5s7zxqqqqcqpjpqqygh9qpp5s7zxqqqqcqpjpqqlqqqqqqqqqqqqcqqpqqqqqqqqqqqsqqqqqqqqdqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqpqqqqqqqqqqqqqqqqqqqqqqqqqqqqqlqqqcqpjptfqptfqptfqpqqqqqqqqqqqqqqqqqqq8ddm0a \ No newline at end of file