From bdbf5666a9d693b9bf11a9e66efe72e5782d82a6 Mon Sep 17 00:00:00 2001
From: Tamas Blummer <tamas.blummer@gmail.com>
Date: Wed, 24 Jul 2019 07:51:11 +0200
Subject: [PATCH 1/1] forbid unsafe

---
 README.md                   |  2 ++
 src/lib.rs                  |  1 +
 src/ln/msgs.rs              |  1 -
 src/ln/onion_utils.rs       | 13 +++++--------
 src/util/internal_traits.rs |  7 -------
 src/util/mod.rs             |  1 -
 6 files changed, 8 insertions(+), 17 deletions(-)
 delete mode 100644 src/util/internal_traits.rs

diff --git a/README.md b/README.md
index f2a39670..fb21395d 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,5 @@
+[![Safety Dance](https://img.shields.io/badge/unsafe-forbidden-success.svg)](https://github.com/rust-secure-code/safety-dance/)
+
 Rust-Lightning, not Rusty's Lightning!
 =====
 
diff --git a/src/lib.rs b/src/lib.rs
index aae543e0..c6e4708a 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -10,6 +10,7 @@
 //! instead of having a rather-separate lightning appendage to a wallet.
 
 #![cfg_attr(not(feature = "fuzztarget"), deny(missing_docs))]
+#![forbid(unsafe_code)]
 
 extern crate bitcoin;
 extern crate bitcoin_hashes;
diff --git a/src/ln/msgs.rs b/src/ln/msgs.rs
index 6c910865..a27b8967 100644
--- a/src/ln/msgs.rs
+++ b/src/ln/msgs.rs
@@ -713,7 +713,6 @@ mod fuzzy_internal_msgs {
 		pub(crate) data: OnionRealm0HopData,
 		pub(crate) hmac: [u8; 32],
 	}
-	unsafe impl ::util::internal_traits::NoDealloc for OnionHopData{}
 
 	pub struct DecodedOnionErrorPacket {
 		pub(crate) hmac: [u8; 32],
diff --git a/src/ln/onion_utils.rs b/src/ln/onion_utils.rs
index 8783aa0b..11b27907 100644
--- a/src/ln/onion_utils.rs
+++ b/src/ln/onion_utils.rs
@@ -1,7 +1,7 @@
 use ln::channelmanager::{PaymentHash, HTLCSource};
 use ln::msgs;
 use ln::router::{Route,RouteHop};
-use util::{byte_utils, internal_traits};
+use util::byte_utils;
 use util::chacha20::ChaCha20;
 use util::errors::{self, APIError};
 use util::ser::{Readable, Writeable};
@@ -17,7 +17,6 @@ use secp256k1::Secp256k1;
 use secp256k1::ecdh::SharedSecret;
 use secp256k1;
 
-use std::ptr;
 use std::io::Cursor;
 use std::sync::Arc;
 
@@ -114,8 +113,6 @@ pub(super) fn build_onion_payloads(route: &Route, starting_htlc_offset: u32) ->
 	let mut cur_cltv = starting_htlc_offset;
 	let mut last_short_channel_id = 0;
 	let mut res: Vec<msgs::OnionHopData> = Vec::with_capacity(route.hops.len());
-	internal_traits::test_no_dealloc::<msgs::OnionHopData>(None);
-	unsafe { res.set_len(route.hops.len()); }
 
 	for (idx, hop) in route.hops.iter().enumerate().rev() {
 		// First hop gets special values so that it can check, on receipt, that everything is
@@ -123,7 +120,7 @@ pub(super) fn build_onion_payloads(route: &Route, starting_htlc_offset: u32) ->
 		// the intended recipient).
 		let value_msat = if cur_value_msat == 0 { hop.fee_msat } else { cur_value_msat };
 		let cltv = if cur_cltv == starting_htlc_offset { hop.cltv_expiry_delta + starting_htlc_offset } else { cur_cltv };
-		res[idx] = msgs::OnionHopData {
+		res.insert(0, msgs::OnionHopData {
 			realm: 0,
 			data: msgs::OnionRealm0HopData {
 				short_channel_id: last_short_channel_id,
@@ -131,7 +128,7 @@ pub(super) fn build_onion_payloads(route: &Route, starting_htlc_offset: u32) ->
 				outgoing_cltv_value: cltv,
 			},
 			hmac: [0; 32],
-		};
+		});
 		cur_value_msat += hop.fee_msat;
 		if cur_value_msat >= 21000000 * 100000000 * 1000 {
 			return Err(APIError::RouteError{err: "Channel fees overflowed?!"});
@@ -147,8 +144,8 @@ pub(super) fn build_onion_payloads(route: &Route, starting_htlc_offset: u32) ->
 
 #[inline]
 fn shift_arr_right(arr: &mut [u8; 20*65]) {
-	unsafe {
-		ptr::copy(arr[0..].as_ptr(), arr[65..].as_mut_ptr(), 19*65);
+	for i in (65..20*65).rev() {
+		arr[i] = arr[i-65];
 	}
 	for i in 0..65 {
 		arr[i] = 0;
diff --git a/src/util/internal_traits.rs b/src/util/internal_traits.rs
deleted file mode 100644
index c12276ce..00000000
--- a/src/util/internal_traits.rs
+++ /dev/null
@@ -1,7 +0,0 @@
-/// A simple marker trait that indicates a type requires no deallocation. Implies we can set_len()
-/// on a Vec of these things and will be safe to overwrite them with =.
-pub unsafe trait NoDealloc {}
-
-/// Just call with test_no_dealloc::<Type>(None)
-#[inline]
-pub fn test_no_dealloc<T : NoDealloc>(_: Option<T>) { }
diff --git a/src/util/mod.rs b/src/util/mod.rs
index 1a48507d..aab77035 100644
--- a/src/util/mod.rs
+++ b/src/util/mod.rs
@@ -9,7 +9,6 @@ pub(crate) mod chacha20;
 #[cfg(not(feature = "fuzztarget"))]
 pub(crate) mod poly1305;
 pub(crate) mod chacha20poly1305rfc;
-pub(crate) mod internal_traits;
 pub(crate) mod transaction_utils;
 
 #[macro_use]
-- 
2.30.2