git.bitcoin.ninja Git - rust-lightning/commit

author	Matt Corallo <git@bluematt.me>
	Tue, 14 Jun 2022 10:54:39 +0000 (10:54 +0000)
committer	Matt Corallo <git@bluematt.me>
	Fri, 1 Jul 2022 14:47:17 +0000 (14:47 +0000)
commit	6c480ae887b751e868423d606d706e352d9615f0
tree	600d6be37b208e534ea1925cb0d9b2975e3f5f1d	tree \| snapshot
parent	8a97e58933a1be025e6e3d339bfb04cb39519d35	commit \| diff

Fix spurious panic on bogus funding txn that confirm and are spent

In c02b6a3807488e1943d79792c5ac0ee52530b971 we moved the
`payment_preimage` copy from inside the macro which only runs if we
are spending an output we know is an HTLC output to doing it for
any script that matches our expected length. This can panic if an
inbound channel is created with a bogus funding transaction that
has a witness program of the HTLC-Success/-Offered length but which
does not have a second-to-last witness element which is 32 bytes.

Luckily this panic is relatively simple for downstream users to
work around - if an invalid-length-copy panic occurs, simply remove
the ChannelMonitor from the bogus channel on startup and run
without it. Because the channel must be funded by a bogus script in
order to reach this panic, the channel will already have closed by
the time the funding transaction is spent, and there can be no
local funds in such a channel, so removing the `ChannelMonitor`
wholesale is completely safe.

In order to test this we have to disable an in-line assertion that
checks that our transactions match expected scripts which we do by
checking for the specific bogus script that we now use in
`test_invalid_funding_tx`.

Thanks to Eugene Siegel for reporting this issue.

lightning/src/chain/channelmonitor.rs		diff \| blob \| history
lightning/src/ln/functional_tests.rs		diff \| blob \| history