Merge pull request #2974 from benthecarman/dang-value

TheBlueMatt · web-flow · commit 6159325ee702 · 2024-03-28T18:34:15.000Z
Add DecodeError::DangerousValue for decoding invalid channel managers
diff --git a/fuzz/src/router.rs b/fuzz/src/router.rs
@@ -157,6 +157,7 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], out: Out) {
 					msgs::DecodeError::ShortRead => panic!("We picked the length..."),
 					msgs::DecodeError::Io(e) => panic!("{:?}", e),
 					msgs::DecodeError::UnsupportedCompression => return,
+					msgs::DecodeError::DangerousValue => return,
 				}
 			}
 		}}
diff --git a/lightning/src/ln/channelmanager.rs b/lightning/src/ln/channelmanager.rs
@@ -10927,7 +10927,7 @@ where
 						}
 					}
 					if chan.get_latest_unblocked_monitor_update_id() > max_in_flight_update_id {
-						// If the channel is ahead of the monitor, return InvalidValue:
+						// If the channel is ahead of the monitor, return DangerousValue:
 						log_error!(logger, "A ChannelMonitor is stale compared to the current ChannelManager! This indicates a potentially-critical violation of the chain::Watch API!");
 						log_error!(logger, " The ChannelMonitor for channel {} is at update_id {} with update_id through {} in-flight",
 							chan.context.channel_id(), monitor.get_latest_update_id(), max_in_flight_update_id);
@@ -10936,7 +10936,7 @@ where
 						log_error!(logger, " client applications must ensure that ChannelMonitor data is always available and the latest to avoid funds loss!");
 						log_error!(logger, " Without the latest ChannelMonitor we cannot continue without risking funds.");
 						log_error!(logger, " Please ensure the chain::Watch API requirements are met and file a bug report at https://github.com/lightningdevkit/rust-lightning");
-						return Err(DecodeError::InvalidValue);
+						return Err(DecodeError::DangerousValue);
 					}
 				} else {
 					// We shouldn't have persisted (or read) any unfunded channel types so none should have been
diff --git a/lightning/src/ln/msgs.rs b/lightning/src/ln/msgs.rs
@@ -91,6 +91,16 @@ pub enum DecodeError {
 	Io(io::ErrorKind),
 	/// The message included zlib-compressed values, which we don't support.
 	UnsupportedCompression,
+	/// Value is validly encoded but is dangerous to use.
+	///
+	/// This is used for things like [`ChannelManager`] deserialization where we want to ensure
+	/// that we don't use a [`ChannelManager`] which is in out of sync with the [`ChannelMonitor`].
+	/// This indicates that there is a critical implementation flaw in the storage implementation
+	/// and it's unsafe to continue.
+	///
+	/// [`ChannelManager`]: crate::ln::channelmanager::ChannelManager
+	/// [`ChannelMonitor`]: crate::chain::channelmonitor::ChannelMonitor
+	DangerousValue,
 }
 
 /// An [`init`] message to be sent to or received from a peer.
@@ -1860,6 +1870,7 @@ impl fmt::Display for DecodeError {
 			DecodeError::BadLengthDescriptor => f.write_str("A length descriptor in the packet didn't describe the later data correctly"),
 			DecodeError::Io(ref e) => fmt::Debug::fmt(e, f),
 			DecodeError::UnsupportedCompression => f.write_str("We don't support receiving messages with zlib-compressed fields"),
+			DecodeError::DangerousValue => f.write_str("Value would be dangerous to continue execution with"),
 		}
 	}
 }
diff --git a/lightning/src/ln/peer_handler.rs b/lightning/src/ln/peer_handler.rs
@@ -1553,6 +1553,7 @@ impl<Descriptor: SocketDescriptor, CM: Deref, RM: Deref, OM: Deref, L: Deref, CM
 												}
 												(msgs::DecodeError::BadLengthDescriptor, _) => return Err(PeerHandleError { }),
 												(msgs::DecodeError::Io(_), _) => return Err(PeerHandleError { }),
+												(msgs::DecodeError::DangerousValue, _) => return Err(PeerHandleError { }),
 											}
 										}
 									};
diff --git a/lightning/src/ln/reload_tests.rs b/lightning/src/ln/reload_tests.rs
@@ -412,7 +412,7 @@ fn test_manager_serialize_deserialize_inconsistent_monitor() {
 	}
 
 	let mut nodes_0_read = &nodes_0_serialized[..];
-	if let Err(msgs::DecodeError::InvalidValue) =
+	if let Err(msgs::DecodeError::DangerousValue) =
 		<(BlockHash, ChannelManager<&test_utils::TestChainMonitor, &test_utils::TestBroadcaster, &test_utils::TestKeysInterface, &test_utils::TestKeysInterface, &test_utils::TestKeysInterface, &test_utils::TestFeeEstimator, &test_utils::TestRouter, &test_utils::TestLogger>)>::read(&mut nodes_0_read, ChannelManagerReadArgs {
 		default_config: UserConfig::default(),
 		entropy_source: keys_manager,

Original file line number	Diff line number	Diff line change
`@@ -157,6 +157,7 @@ pub fn do_test<Out: test_logger::Output>(data: &[u8], out: Out) {`
`157`	`157`	`msgs::DecodeError::ShortRead => panic!("We picked the length..."),`
`158`	`158`	`msgs::DecodeError::Io(e) => panic!("{:?}", e),`
`159`	`159`	`msgs::DecodeError::UnsupportedCompression => return,`
	`160`	`+ msgs::DecodeError::DangerousValue => return,`
`160`	`161`	`}`
`161`	`162`	`}`
`162`	`163`	`}}`
Original file line number	Diff line number	Diff line change
`@@ -10927,7 +10927,7 @@ where`
`10927`	`10927`	`}`
`10928`	`10928`	`}`
`10929`	`10929`	`if chan.get_latest_unblocked_monitor_update_id() > max_in_flight_update_id {`
`10930`		`- // If the channel is ahead of the monitor, return InvalidValue:`
	`10930`	`+ // If the channel is ahead of the monitor, return DangerousValue:`
`10931`	`10931`	`log_error!(logger, "A ChannelMonitor is stale compared to the current ChannelManager! This indicates a potentially-critical violation of the chain::Watch API!");`
`10932`	`10932`	`log_error!(logger, " The ChannelMonitor for channel {} is at update_id {} with update_id through {} in-flight",`
`10933`	`10933`	`chan.context.channel_id(), monitor.get_latest_update_id(), max_in_flight_update_id);`
`@@ -10936,7 +10936,7 @@ where`
`10936`	`10936`	`log_error!(logger, " client applications must ensure that ChannelMonitor data is always available and the latest to avoid funds loss!");`
`10937`	`10937`	`log_error!(logger, " Without the latest ChannelMonitor we cannot continue without risking funds.");`
`10938`	`10938`	`log_error!(logger, " Please ensure the chain::Watch API requirements are met and file a bug report at https://github.com/lightningdevkit/rust-lightning");`
`10939`		`- return Err(DecodeError::InvalidValue);`
	`10939`	`+ return Err(DecodeError::DangerousValue);`
`10940`	`10940`	`}`
`10941`	`10941`	`} else {`
`10942`	`10942`	`// We shouldn't have persisted (or read) any unfunded channel types so none should have been`
Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,16 @@ pub enum DecodeError {`
`91`	`91`	`Io(io::ErrorKind),`
`92`	`92`	`/// The message included zlib-compressed values, which we don't support.`
`93`	`93`	`UnsupportedCompression,`
	`94`	`+ /// Value is validly encoded but is dangerous to use.`
	`95`	`+ ///`
	`96`	+ /// This is used for things like [`ChannelManager`] deserialization where we want to ensure
	`97`	+ /// that we don't use a [`ChannelManager`] which is in out of sync with the [`ChannelMonitor`].
	`98`	`+ /// This indicates that there is a critical implementation flaw in the storage implementation`
	`99`	`+ /// and it's unsafe to continue.`
	`100`	`+ ///`
	`101`	+ /// [`ChannelManager`]: crate::ln::channelmanager::ChannelManager
	`102`	+ /// [`ChannelMonitor`]: crate::chain::channelmonitor::ChannelMonitor
	`103`	`+ DangerousValue,`
`94`	`104`	`}`
`95`	`105`
`96`	`106`	/// An [`init`] message to be sent to or received from a peer.
`@@ -1860,6 +1870,7 @@ impl fmt::Display for DecodeError {`
`1860`	`1870`	`DecodeError::BadLengthDescriptor => f.write_str("A length descriptor in the packet didn't describe the later data correctly"),`
`1861`	`1871`	`DecodeError::Io(ref e) => fmt::Debug::fmt(e, f),`
`1862`	`1872`	`DecodeError::UnsupportedCompression => f.write_str("We don't support receiving messages with zlib-compressed fields"),`
	`1873`	`+ DecodeError::DangerousValue => f.write_str("Value would be dangerous to continue execution with"),`
`1863`	`1874`	`}`
`1864`	`1875`	`}`
`1865`	`1876`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1553,6 +1553,7 @@ impl<Descriptor: SocketDescriptor, CM: Deref, RM: Deref, OM: Deref, L: Deref, CM`
`1553`	`1553`	`}`
`1554`	`1554`	`(msgs::DecodeError::BadLengthDescriptor, _) => return Err(PeerHandleError { }),`
`1555`	`1555`	`(msgs::DecodeError::Io(_), _) => return Err(PeerHandleError { }),`
	`1556`	`+ (msgs::DecodeError::DangerousValue, _) => return Err(PeerHandleError { }),`
`1556`	`1557`	`}`
`1557`	`1558`	`}`
`1558`	`1559`	`};`
Original file line number	Diff line number	Diff line change
`@@ -412,7 +412,7 @@ fn test_manager_serialize_deserialize_inconsistent_monitor() {`
`412`	`412`	`}`
`413`	`413`
`414`	`414`	`let mut nodes_0_read = &nodes_0_serialized[..];`
`415`		`- if let Err(msgs::DecodeError::InvalidValue) =`
	`415`	`+ if let Err(msgs::DecodeError::DangerousValue) =`
`416`	`416`	`<(BlockHash, ChannelManager<&test_utils::TestChainMonitor, &test_utils::TestBroadcaster, &test_utils::TestKeysInterface, &test_utils::TestKeysInterface, &test_utils::TestKeysInterface, &test_utils::TestFeeEstimator, &test_utils::TestRouter, &test_utils::TestLogger>)>::read(&mut nodes_0_read, ChannelManagerReadArgs {`
`417`	`417`	`default_config: UserConfig::default(),`
`418`	`418`	`entropy_source: keys_manager,`