From 8938cd7d78d913643b78a4150a40b7bb008fdd26 Mon Sep 17 00:00:00 2001
From: Matt Corallo <git@bluematt.me>
Date: Tue, 27 Mar 2018 11:34:22 -0400
Subject: [PATCH] Expand full_stack_target from uselessly-large to
 laughably-large

---
 fuzz/Cargo.toml                        |   1 +
 fuzz/fuzz_targets/channel_target.rs    |   3 +
 fuzz/fuzz_targets/full_stack_target.rs | 165 +++++++++++++++++++++++--
 fuzz/fuzz_targets/peer_crypt_target.rs |   3 +
 src/util/mod.rs                        |   3 +
 src/util/rng.rs                        |  21 +++-
 6 files changed, 183 insertions(+), 13 deletions(-)

diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
index 7ed7533a..39f805d4 100644
--- a/fuzz/Cargo.toml
+++ b/fuzz/Cargo.toml
@@ -15,6 +15,7 @@ honggfuzz_fuzz = ["honggfuzz"]
 lightning = { path = "..", features = ["fuzztarget"] }
 bitcoin = { git = "https://github.com/rust-bitcoin/rust-bitcoin", features = ["fuzztarget"] }
 secp256k1 = { version = "0.9", features = ["fuzztarget"] }
+rust-crypto = "0.2"
 honggfuzz = { version = "0.5", optional = true }
 afl = { version = "0.3", optional = true }
 
diff --git a/fuzz/fuzz_targets/channel_target.rs b/fuzz/fuzz_targets/channel_target.rs
index d07b342d..66aadaab 100644
--- a/fuzz/fuzz_targets/channel_target.rs
+++ b/fuzz/fuzz_targets/channel_target.rs
@@ -12,6 +12,7 @@ use lightning::ln::channelmanager::PendingForwardHTLCInfo;
 use lightning::ln::msgs;
 use lightning::ln::msgs::MsgDecodable;
 use lightning::chain::chaininterface::{FeeEstimator, ConfirmationTarget};
+use lightning::util::reset_rng_state;
 
 use secp256k1::key::PublicKey;
 use secp256k1::Secp256k1;
@@ -89,6 +90,8 @@ impl<'a> FeeEstimator for FuzzEstimator<'a> {
 
 #[inline]
 pub fn do_test(data: &[u8]) {
+	reset_rng_state();
+
 	let input = InputData {
 		data,
 		read_pos: AtomicUsize::new(0),
diff --git a/fuzz/fuzz_targets/full_stack_target.rs b/fuzz/fuzz_targets/full_stack_target.rs
index c7ad6d49..e36f6420 100644
--- a/fuzz/fuzz_targets/full_stack_target.rs
+++ b/fuzz/fuzz_targets/full_stack_target.rs
@@ -1,20 +1,31 @@
 extern crate bitcoin;
+extern crate crypto;
 extern crate lightning;
 extern crate secp256k1;
 
-use bitcoin::blockdata::transaction::Transaction;
+use bitcoin::blockdata::block::BlockHeader;
+use bitcoin::blockdata::transaction::{Transaction, TxOut};
+use bitcoin::blockdata::script::Script;
 use bitcoin::network::constants::Network;
+use bitcoin::network::serialize::{serialize, BitcoinHash};
 use bitcoin::util::hash::Sha256dHash;
+use bitcoin::util::uint::Uint256;
 
-use lightning::chain::chaininterface::{BroadcasterInterface,ConfirmationTarget,FeeEstimator,ChainWatchInterfaceUtil};
+use crypto::sha2::Sha256;
+use crypto::digest::Digest;
+
+use lightning::chain::chaininterface::{BroadcasterInterface,ConfirmationTarget,ChainListener,FeeEstimator,ChainWatchInterfaceUtil};
 use lightning::ln::{channelmonitor,msgs};
 use lightning::ln::channelmanager::ChannelManager;
 use lightning::ln::peer_handler::{MessageHandler,PeerManager,SocketDescriptor};
 use lightning::ln::router::Router;
+use lightning::util::events::{EventsProvider,Event};
+use lightning::util::reset_rng_state;
 
 use secp256k1::key::{PublicKey,SecretKey};
 use secp256k1::Secp256k1;
 
+use std::collections::HashMap;
 use std::sync::Arc;
 use std::sync::atomic::{AtomicUsize,Ordering};
 
@@ -24,6 +35,13 @@ pub fn slice_to_be16(v: &[u8]) -> u16 {
 	((v[1] as u16) << 8*0)
 }
 
+#[inline]
+pub fn slice_to_be24(v: &[u8]) -> u32 {
+	((v[0] as u32) << 8*2) |
+	((v[1] as u32) << 8*1) |
+	((v[2] as u32) << 8*0)
+}
+
 #[inline]
 pub fn slice_to_be32(v: &[u8]) -> u32 {
 	((v[0] as u32) << 8*3) |
@@ -32,6 +50,20 @@ pub fn slice_to_be32(v: &[u8]) -> u32 {
 	((v[3] as u32) << 8*0)
 }
 
+#[inline]
+pub fn be64_to_array(u: u64) -> [u8; 8] {
+	let mut v = [0; 8];
+	v[0] = ((u >> 8*7) & 0xff) as u8;
+	v[1] = ((u >> 8*6) & 0xff) as u8;
+	v[2] = ((u >> 8*5) & 0xff) as u8;
+	v[3] = ((u >> 8*4) & 0xff) as u8;
+	v[4] = ((u >> 8*3) & 0xff) as u8;
+	v[5] = ((u >> 8*2) & 0xff) as u8;
+	v[6] = ((u >> 8*1) & 0xff) as u8;
+	v[7] = ((u >> 8*0) & 0xff) as u8;
+	v
+}
+
 struct InputData {
 	data: Vec<u8>,
 	read_pos: AtomicUsize,
@@ -44,13 +76,6 @@ impl InputData {
 		}
 		Some(&self.data[old_pos..old_pos + len])
 	}
-	fn get_slice_nonadvancing(&self, len: usize) -> Option<&[u8]> {
-		let old_pos = self.read_pos.load(Ordering::Acquire);
-		if self.data.len() < old_pos + len {
-			return None;
-		}
-		Some(&self.data[old_pos..old_pos + len])
-	}
 }
 
 struct FuzzEstimator {
@@ -92,6 +117,8 @@ impl SocketDescriptor for Peer {
 
 #[inline]
 pub fn do_test(data: &[u8]) {
+	reset_rng_state();
+
 	let input = Arc::new(InputData {
 		data: data.to_vec(),
 		read_pos: AtomicUsize::new(0),
@@ -137,6 +164,12 @@ pub fn do_test(data: &[u8]) {
 	}, our_network_key);
 
 	let mut peers = [false; 256];
+	let mut should_forward = false;
+	let mut payments_received = Vec::new();
+	let mut payments_sent = 0;
+	let mut pending_funding_generation: Vec<(Uint256, u64, Script)> = Vec::new();
+	let mut pending_funding_signatures = HashMap::new();
+	let mut pending_funding_relay = Vec::new();
 
 	loop {
 		match get_slice!(1)[0] {
@@ -178,8 +211,122 @@ pub fn do_test(data: &[u8]) {
 					Err(_) => { peers[peer_id as usize] = false; }
 				}
 			},
+			4 => {
+				let value = slice_to_be24(get_slice!(3)) as u64;
+				let route = match router.get_route(&get_pubkey!(), &Vec::new(), value, 42) {
+					Ok(route) => route,
+					Err(_) => return,
+				};
+				let mut payment_hash = [0; 32];
+				payment_hash[0..8].copy_from_slice(&be64_to_array(payments_sent));
+				let mut sha = Sha256::new();
+				sha.input(&payment_hash);
+				sha.result(&mut payment_hash);
+				for i in 1..32 { payment_hash[i] = 0; }
+				payments_sent += 1;
+				match channelmanager.send_payment(route, payment_hash) {
+					Ok(_) => {},
+					Err(_) => return,
+				}
+			},
+			5 => {
+				let peer_id = get_slice!(1)[0];
+				if !peers[peer_id as usize] { return; }
+				let their_key = get_pubkey!();
+				let chan_value = slice_to_be24(get_slice!(3)) as u64;
+				if channelmanager.create_channel(their_key, chan_value, 0).is_err() { return; }
+			},
+			6 => {
+				let mut channels = channelmanager.list_channels();
+				let channel_id = get_slice!(1)[0] as usize;
+				if channel_id >= channels.len() { return; }
+				channels.sort_by(|a, b| { a.channel_id.cmp(&b.channel_id) });
+				if channelmanager.close_channel(&channels[channel_id].channel_id).is_err() { return; }
+			},
+			7 => {
+				if should_forward {
+					channelmanager.process_pending_htlc_forward();
+					handler.process_events();
+					should_forward = false;
+				}
+			},
+			8 => {
+				for payment in payments_received.drain(..) {
+					let mut payment_preimage = None;
+					for i in 0..payments_sent {
+						let mut payment_hash = [0; 32];
+						payment_hash[0..8].copy_from_slice(&be64_to_array(i));
+						let mut sha = Sha256::new();
+						sha.input(&payment_hash);
+						sha.result(&mut payment_hash);
+						for i in 1..32 { payment_hash[i] = 0; }
+						if payment_hash == payment {
+							payment_hash = [0; 32];
+							payment_hash[0..8].copy_from_slice(&be64_to_array(i));
+							payment_preimage = Some(payment_hash);
+							break;
+						}
+					}
+					channelmanager.claim_funds(payment_preimage.unwrap());
+				}
+			},
+			9 => {
+				for payment in payments_received.drain(..) {
+					channelmanager.fail_htlc_backwards(&payment);
+				}
+			},
+			10 => {
+				for funding_generation in  pending_funding_generation.drain(..) {
+					let mut tx = Transaction { version: 0, lock_time: 0, input: Vec::new(), output: vec![TxOut {
+							value: funding_generation.1, script_pubkey: funding_generation.2,
+						}] };
+					let funding_output = (Sha256dHash::from_data(&serialize(&tx).unwrap()[..]), 0);
+					channelmanager.funding_transaction_generated(&funding_generation.0, funding_output.clone());
+					pending_funding_signatures.insert(funding_output, tx);
+				}
+			},
+			11 => {
+				if !pending_funding_relay.is_empty() {
+					let mut txn = Vec::with_capacity(pending_funding_relay.len());
+					let mut txn_idxs = Vec::with_capacity(pending_funding_relay.len());
+					for (idx, tx) in pending_funding_relay.iter().enumerate() {
+						txn.push(tx);
+						txn_idxs.push(idx as u32 + 1);
+					}
+
+					let mut header = BlockHeader { version: 0x20000000, prev_blockhash: Default::default(), merkle_root: Default::default(), time: 42, bits: 42, nonce: 42 };
+					channelmanager.block_connected(&header, 1, &txn[..], &txn_idxs[..]);
+					txn.clear();
+					txn_idxs.clear();
+					for i in 2..100 {
+						header = BlockHeader { version: 0x20000000, prev_blockhash: header.bitcoin_hash(), merkle_root: Default::default(), time: 42, bits: 42, nonce: 42 };
+						channelmanager.block_connected(&header, i, &txn[..], &txn_idxs[..]);
+					}
+				}
+				pending_funding_relay.clear();
+			},
 			_ => return,
 		}
+		for event in handler.get_and_clear_pending_events() {
+			match event {
+				Event::FundingGenerationReady { temporary_channel_id, channel_value_satoshis, output_script, .. } => {
+					pending_funding_generation.push((temporary_channel_id, channel_value_satoshis, output_script));
+				},
+				Event::FundingBroadcastSafe { funding_txo, .. } => {
+					pending_funding_relay.push(pending_funding_signatures.remove(&funding_txo).unwrap());
+				},
+				Event::PaymentReceived { payment_hash, .. } => {
+					payments_received.push(payment_hash);
+				},
+				Event::PaymentSent {..} => {},
+				Event::PaymentFailed {..} => {},
+
+				Event::PendingHTLCsForwardable {..} => {
+					should_forward = true;
+				},
+				_ => panic!("Unknown event"),
+			}
+		}
 	}
 }
 
diff --git a/fuzz/fuzz_targets/peer_crypt_target.rs b/fuzz/fuzz_targets/peer_crypt_target.rs
index b7287fb9..06d00c2e 100644
--- a/fuzz/fuzz_targets/peer_crypt_target.rs
+++ b/fuzz/fuzz_targets/peer_crypt_target.rs
@@ -2,6 +2,7 @@ extern crate lightning;
 extern crate secp256k1;
 
 use lightning::ln::peer_channel_encryptor::PeerChannelEncryptor;
+use lightning::util::reset_rng_state;
 
 use secp256k1::key::{PublicKey,SecretKey};
 use secp256k1::Secp256k1;
@@ -14,6 +15,8 @@ fn slice_to_be16(v: &[u8]) -> u16 {
 
 #[inline]
 pub fn do_test(data: &[u8]) {
+	reset_rng_state();
+
 	let mut read_pos = 0;
 	macro_rules! get_slice {
 		($len: expr) => {
diff --git a/src/util/mod.rs b/src/util/mod.rs
index b7578bce..a39d2884 100644
--- a/src/util/mod.rs
+++ b/src/util/mod.rs
@@ -7,5 +7,8 @@ pub(crate) mod internal_traits;
 pub(crate) mod rng;
 pub(crate) mod sha2;
 
+#[cfg(feature = "fuzztarget")]
+pub use self::rng::reset_rng_state;
+
 #[cfg(test)]
 pub(crate) mod test_utils;
diff --git a/src/util/rng.rs b/src/util/rng.rs
index f0d44925..818528b8 100644
--- a/src/util/rng.rs
+++ b/src/util/rng.rs
@@ -24,19 +24,32 @@ pub use self::real_rng::*;
 #[cfg(feature = "fuzztarget")]
 mod fuzzy_rng {
 	use bitcoin::util::uint::Uint256;
+	use util::byte_utils;
+
+	static mut RNG_ITER: u64 = 0;
 
 	pub fn fill_bytes(data: &mut [u8]) {
-		for i in 0..data.len() {
-			data[i] = 0x42;
+		let rng = unsafe { RNG_ITER += 1; RNG_ITER -1 };
+		for i in 0..data.len() / 8 {
+			data[i*8..(i+1)*8].copy_from_slice(&byte_utils::be64_to_array(rng));
 		}
+		let rem = data.len() % 8;
+		let off = data.len() - rem;
+		data[off..].copy_from_slice(&byte_utils::be64_to_array(rng)[0..rem]);
 	}
 
 	pub fn rand_uint256() -> Uint256 {
-		Uint256([0xdeadbeef, 0x1badcafe, 0xbadbeef, 0xdeadcafe])
+		let rng = unsafe { RNG_ITER += 1; RNG_ITER - 1 };
+		Uint256([rng, rng, rng, rng])
 	}
 
 	pub fn rand_f32() -> f32 {
-		0.42
+		let rng = unsafe { RNG_ITER += 1; RNG_ITER - 1 };
+		f64::from_bits(rng) as f32
+	}
+
+	pub fn reset_rng_state() {
+		unsafe { RNG_ITER = 0; }
 	}
 }
 #[cfg(feature = "fuzztarget")]
-- 
2.30.2