From b70fe2a8f39c8a9c35540e63b34e263b0cac2748 Mon Sep 17 00:00:00 2001 From: Matt Morehouse Date: Tue, 17 Oct 2023 11:29:47 +1030 Subject: [PATCH] bolt11: don't abort on invalid pubkey Rather than crashing the entire node on invalid pubkey, we should return an error. Detected by libFuzzer: ==250024== ERROR: libFuzzer: deadly signal [ Changed so that `n` really does check that it's valid --RR ] #7 abort #8 bolt11_decode common/bolt11.c:1002:4 --- common/bolt11.c | 16 ++++++++++++++-- ...ash-08a0ea0c1dd7003293bf5d6e05708c6918757cd7 | Bin 0 -> 3002 bytes 2 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 tests/fuzz/corpora/fuzz-bolt11-decode/crash-08a0ea0c1dd7003293bf5d6e05708c6918757cd7 diff --git a/common/bolt11.c b/common/bolt11.c index c6eb0bd8f2bc..e84cf6dc784a 100644 --- a/common/bolt11.c +++ b/common/bolt11.c @@ -306,14 +306,26 @@ static const char *decode_n(struct bolt11 *b11, const u5 **data, size_t *field_len, bool *have_n) { + const char *err; + assert(!*have_n); /* BOLT #11: * * A reader... MUST skip over unknown fields, OR an `f` field * with unknown `version`, OR `p`, `h`, `s` or `n` fields that do * NOT have `data_length`s of 52, 52, 52 or 53, respectively. */ - return pull_expected_length(b11, hu5, data, field_len, 53, 'n', - have_n, &b11->receiver_id.k); + err = pull_expected_length(b11, hu5, data, field_len, 53, 'n', + have_n, &b11->receiver_id.k); + + /* If that gave us nodeid, check it. */ + if (*have_n) { + struct pubkey k; + if (!pubkey_from_node_id(&k, &b11->receiver_id)) + return tal_fmt(b11, "invalid public key %s", + node_id_to_hexstr(tmpctx, &b11->receiver_id)); + } + + return err; } /* BOLT #11: diff --git a/tests/fuzz/corpora/fuzz-bolt11-decode/crash-08a0ea0c1dd7003293bf5d6e05708c6918757cd7 b/tests/fuzz/corpora/fuzz-bolt11-decode/crash-08a0ea0c1dd7003293bf5d6e05708c6918757cd7 new file mode 100644 index 0000000000000000000000000000000000000000..7bdc44850d72228113a89cd2d105dfbc8e6b7d3a GIT binary patch literal 3002 zcmc&$Ne;p=4D6SX;0N3|<$wg`h}09Rdg%W}oW;!~A#S=*OAxPPk5d&s{rDN*r+eEf zmMdw4mW%#4l}wh_24f6DR8(vYs}$N zQNg-Awg{3-AYfWmF2=sycKPHMR`E0+)g2?C$@GvGaq?%h>ZTRg&<^W_2zHAK)(PxHv>?F%@Av*v487qKZpX)!1e8*B?saoz1vb}^ nf^}P8lcSNsn!pPtSz{oJHAuGh#)Fp>|A6?MxNl6;Nkq2q literal 0 HcmV?d00001