From c1f20687a6babbd2ded354553936889ebda8f142 Mon Sep 17 00:00:00 2001 From: Matt Morehouse Date: Tue, 17 Oct 2023 11:49:25 -0500 Subject: [PATCH] bolt11: validate recovery ID Invalid recovery IDs cause secp256k1_ecdsa_recoverable_signature_parse_compact to abort, which crashes the entire node. We should return an error instead. Detected by libFuzzer: [libsecp256k1] illegal argument: recid >= 0 && recid <= 3 --- common/bolt11.c | 6 ++++++ .../crash-02a760b43a1728ac699ca34f2a01d01cd4e6385f | 1 + 2 files changed, 7 insertions(+) create mode 100644 tests/fuzz/corpora/fuzz-bolt11/crash-02a760b43a1728ac699ca34f2a01d01cd4e6385f diff --git a/common/bolt11.c b/common/bolt11.c index 4b66fafdb0a4..c6eb0bd8f2bc 100644 --- a/common/bolt11.c +++ b/common/bolt11.c @@ -923,6 +923,8 @@ struct bolt11 *bolt11_decode_nosig(const tal_t *ctx, const char *str, return b11; } +static bool valid_recovery_id(u8 recid) { return recid <= 3; } + /* Decodes and checks signature; returns NULL on error. */ struct bolt11 *bolt11_decode(const tal_t *ctx, const char *str, const struct feature_set *our_features, @@ -963,6 +965,10 @@ struct bolt11 *bolt11_decode(const tal_t *ctx, const char *str, assert(data_len == 0); + if (!valid_recovery_id(sig_and_recid[64])) + return decode_fail(b11, fail, "invalid recovery ID: %u", + sig_and_recid[64]); + if (!secp256k1_ecdsa_recoverable_signature_parse_compact (secp256k1_ctx, &sig, sig_and_recid, sig_and_recid[64])) return decode_fail(b11, fail, "signature invalid"); diff --git a/tests/fuzz/corpora/fuzz-bolt11/crash-02a760b43a1728ac699ca34f2a01d01cd4e6385f b/tests/fuzz/corpora/fuzz-bolt11/crash-02a760b43a1728ac699ca34f2a01d01cd4e6385f new file mode 100644 index 000000000000..ba39072e1ca3 --- /dev/null +++ b/tests/fuzz/corpora/fuzz-bolt11/crash-02a760b43a1728ac699ca34f2a01d01cd4e6385f @@ -0,0 +1 @@ +lnbc1qqygh9qpp5s7zxqqqqqqqqqqqqpjqqqqqqqqqqqqqqqqqqcqpjqqqsqqqqqqqqdqqqqqqqqqqqqqqqqqqqqqqqqqqqqquqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqzxqqqqqqqqqqqqqqqy6f523d \ No newline at end of file