From 7497ed2402aaf8b69b6d5c1a85dc99dba36a6ca3 Mon Sep 17 00:00:00 2001 From: Valentine Wallace Date: Wed, 14 Jul 2021 16:23:38 -0400 Subject: [PATCH] Fix crash due to index-out-of-bounds in feature translation This was reported by a user when trying to send a payment using the LDK sample (specifically during route generation when translating a Features from one context to another) The problem was we didn't check T::KNOWN_FEATURE_MASK vec length before indexing into it, due likely to the assumption that known feature vec lengths are the same across contexts, when they may not be --- lightning/src/ln/features.rs | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/lightning/src/ln/features.rs b/lightning/src/ln/features.rs index b459baf06..9d865d15e 100644 --- a/lightning/src/ln/features.rs +++ b/lightning/src/ln/features.rs @@ -490,13 +490,14 @@ impl Features { /// Converts `Features` to `Features`. Only known `T` features relevant to context `C` are /// included in the result. fn to_context_internal(&self) -> Features { - let byte_count = C::KNOWN_FEATURE_MASK.len(); + let from_byte_count = T::KNOWN_FEATURE_MASK.len(); + let to_byte_count = C::KNOWN_FEATURE_MASK.len(); let mut flags = Vec::new(); for (i, byte) in self.flags.iter().enumerate() { - if i < byte_count { - let known_source_features = T::KNOWN_FEATURE_MASK[i]; - let known_target_features = C::KNOWN_FEATURE_MASK[i]; - flags.push(byte & known_source_features & known_target_features); + if i < from_byte_count && i < to_byte_count { + let from_known_features = T::KNOWN_FEATURE_MASK[i]; + let to_known_features = C::KNOWN_FEATURE_MASK[i]; + flags.push(byte & from_known_features & to_known_features); } } Features:: { flags, mark: PhantomData, } -- 2.39.5