From: Matt Corallo Date: Mon, 2 May 2022 20:45:17 +0000 (+0000) Subject: Reject outbound channels if the total reserve is larger than funding X-Git-Tag: v0.0.107~39^2 X-Git-Url: http://git.bitcoin.ninja/index.cgi?a=commitdiff_plain;h=refs%2Fheads%2F2022-05-lol-more-underflow;p=rust-lightning Reject outbound channels if the total reserve is larger than funding In 2826af75a5761859dedcddc870de0753ae4ecde4 we fixed a fuzz crash in which the total reserve values in a channel were greater than the funding amount, checked when an incoming channel is accepted. This, however, did not fix the same issue for outbound channels, where a peer can accept a channel with a nonsense reserve value in the `accept_channel` message. The `full_stack_target` fuzzer eventually found its way into the same issue, which this resolves. Thanks (again) to Chaincode Labs for providing the fuzzing resources which found this bug! --- diff --git a/lightning/src/ln/channel.rs b/lightning/src/ln/channel.rs index 1cb7a689a..0ac9d04af 100644 --- a/lightning/src/ln/channel.rs +++ b/lightning/src/ln/channel.rs @@ -1927,6 +1927,10 @@ impl Channel { if msg.dust_limit_satoshis > self.holder_selected_channel_reserve_satoshis { return Err(ChannelError::Close(format!("Dust limit ({}) is bigger than our channel reserve ({})", msg.dust_limit_satoshis, self.holder_selected_channel_reserve_satoshis))); } + if msg.channel_reserve_satoshis > self.channel_value_satoshis - self.holder_selected_channel_reserve_satoshis { + return Err(ChannelError::Close(format!("Bogus channel_reserve_satoshis ({}). Must not be greater than channel value minus our reserve ({})", + msg.channel_reserve_satoshis, self.channel_value_satoshis - self.holder_selected_channel_reserve_satoshis))); + } let full_channel_value_msat = (self.channel_value_satoshis - msg.channel_reserve_satoshis) * 1000; if msg.htlc_minimum_msat >= full_channel_value_msat { return Err(ChannelError::Close(format!("Minimum htlc value ({}) is full channel value ({})", msg.htlc_minimum_msat, full_channel_value_msat)));