]> git.bitcoin.ninja Git - rust-lightning/commitdiff
Reject outbound channels if the total reserve is larger than funding 2022-05-lol-more-underflow
authorMatt Corallo <git@bluematt.me>
Mon, 2 May 2022 20:45:17 +0000 (20:45 +0000)
committerMatt Corallo <git@bluematt.me>
Mon, 2 May 2022 20:45:17 +0000 (20:45 +0000)
In 2826af75a5761859dedcddc870de0753ae4ecde4 we fixed a fuzz crash
in which the total reserve values in a channel were greater than
the funding amount, checked when an incoming channel is accepted.

This, however, did not fix the same issue for outbound channels,
where a peer can accept a channel with a nonsense reserve value in
the `accept_channel` message. The `full_stack_target` fuzzer
eventually found its way into the same issue, which this resolves.

Thanks (again) to Chaincode Labs for providing the fuzzing
resources which found this bug!

lightning/src/ln/channel.rs

index 1cb7a689a21a1b710413e93afbba8e1881d48e90..0ac9d04afee075cc90c73a1f0df730da1eb46a1b 100644 (file)
@@ -1927,6 +1927,10 @@ impl<Signer: Sign> Channel<Signer> {
                if msg.dust_limit_satoshis > self.holder_selected_channel_reserve_satoshis {
                        return Err(ChannelError::Close(format!("Dust limit ({}) is bigger than our channel reserve ({})", msg.dust_limit_satoshis, self.holder_selected_channel_reserve_satoshis)));
                }
+               if msg.channel_reserve_satoshis > self.channel_value_satoshis - self.holder_selected_channel_reserve_satoshis {
+                       return Err(ChannelError::Close(format!("Bogus channel_reserve_satoshis ({}). Must not be greater than channel value minus our reserve ({})",
+                               msg.channel_reserve_satoshis, self.channel_value_satoshis - self.holder_selected_channel_reserve_satoshis)));
+               }
                let full_channel_value_msat = (self.channel_value_satoshis - msg.channel_reserve_satoshis) * 1000;
                if msg.htlc_minimum_msat >= full_channel_value_msat {
                        return Err(ChannelError::Close(format!("Minimum htlc value ({}) is full channel value ({})", msg.htlc_minimum_msat, full_channel_value_msat)));