bolt11: don't abort on invalid pubkey

Rather than crashing the entire node on invalid pubkey, we should return an error. Detected by libFuzzer: ==250024== ERROR: libFuzzer: deadly signal [ Changed so that `n` really does check that it's valid --RR ] #7 abort #8 bolt11_decode common/bolt11.c:1002:4
rustyrussell · Oct 17, 2023 · dfcf81d · dfcf81d
1 parent 3f18a7c
commit dfcf81d
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 2 deletions.
diff --git a/common/bolt11.c b/common/bolt11.c
@@ -306,14 +306,26 @@ static const char *decode_n(struct bolt11 *b11,
 			    const u5 **data, size_t *field_len,
 			    bool *have_n)
 {
+	const char *err;
+
 	assert(!*have_n);
 	/* BOLT #11:
 	 *
 	 * A reader... MUST skip over unknown fields, OR an `f` field
 	 * with unknown `version`, OR `p`, `h`, `s` or `n` fields that do
 	 * NOT have `data_length`s of 52, 52, 52 or 53, respectively. */
-	return pull_expected_length(b11, hu5, data, field_len, 53, 'n',
-				    have_n, &b11->receiver_id.k);
+	err = pull_expected_length(b11, hu5, data, field_len, 53, 'n',
+				   have_n, &b11->receiver_id.k);
+
+	/* If that gave us nodeid, check it. */
+	if (*have_n) {
+		struct pubkey k;
+		if (!pubkey_from_node_id(&k, &b11->receiver_id))
+			return tal_fmt(b11, "invalid public key %s",
+				       node_id_to_hexstr(tmpctx, &b11->receiver_id));
+	}
+
+	return err;
 }
 
 /* BOLT #11:

diff --git a/tests/fuzz/corpora/fuzz-bolt11-decode/crash-08a0ea0c1dd7003293bf5d6e05708c6918757cd7 b/tests/fuzz/corpora/fuzz-bolt11-decode/crash-08a0ea0c1dd7003293bf5d6e05708c6918757cd7