From: Matt Corallo Date: Sun, 19 Jan 2020 21:03:25 +0000 (-0500) Subject: Panic on txn with value > 21mill in ChannelMonitor::block_connected X-Git-Tag: v0.0.12~146^2 X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=commitdiff_plain;h=refs%2Fheads%2F2020-01-fuzz-mega-value;p=rust-lightning Panic on txn with value > 21mill in ChannelMonitor::block_connected full_stack_target found a crash where we may overflow ruring fee calculation if a transaction appears on-chain with massive value available for us to claim. Since these transactions are clearly bogus, we shouldn't allow full_stack_target to connect them, but we also improve the error generated by explicitly panicing on them. --- diff --git a/fuzz/src/full_stack.rs b/fuzz/src/full_stack.rs index 19dc28042..5aa6d94ed 100644 --- a/fuzz/src/full_stack.rs +++ b/fuzz/src/full_stack.rs @@ -485,6 +485,12 @@ pub fn do_test(data: &[u8], logger: &Arc) { } else { let txres: Result = deserialize(get_slice!(txlen)); if let Ok(tx) = txres { + let mut output_val = 0; + for out in tx.output.iter() { + if out.value > 21_000_000_0000_0000 { return; } + output_val += out.value; + if output_val > 21_000_000_0000_0000 { return; } + } loss_detector.connect_block(&[tx]); } else { return; diff --git a/lightning/src/ln/channelmonitor.rs b/lightning/src/ln/channelmonitor.rs index 70f11405d..c96c30cbe 100644 --- a/lightning/src/ln/channelmonitor.rs +++ b/lightning/src/ln/channelmonitor.rs @@ -2334,6 +2334,15 @@ impl ChannelMonitor { } fn block_connected(&mut self, txn_matched: &[&Transaction], height: u32, block_hash: &Sha256dHash, broadcaster: &BroadcasterInterface, fee_estimator: &FeeEstimator)-> (Vec<(Sha256dHash, Vec)>, Vec, Vec<(HTLCSource, Option, PaymentHash)>) { + for tx in txn_matched { + let mut output_val = 0; + for out in tx.output.iter() { + if out.value > 21_000_000_0000_0000 { panic!("Value-overflowing transaction provided to block connected"); } + output_val += out.value; + if output_val > 21_000_000_0000_0000 { panic!("Value-overflowing transaction provided to block connected"); } + } + } + log_trace!(self, "Block {} at height {} connected with {} txn matched", block_hash, height, txn_matched.len()); let mut watch_outputs = Vec::new(); let mut spendable_outputs = Vec::new();