Correctly verify and forward excess data post-signature in signed announcement messages

fuzz/Cargo.toml

@@ -62,11 +62,11 @@ path = "fuzz_targets/msg_pong_target.rs"
 
 [[bin]]
 name = "msg_error_message_target"
-path = "fuzz_targets/msg_error_message_target.rs"
+path = "fuzz_targets/msg_targets/msg_error_message_target.rs"
 
 [[bin]]
 name = "msg_update_add_htlc_target"
-path = "fuzz_targets/msg_update_add_htlc_target.rs"
+path = "fuzz_targets/msg_targets/msg_update_add_htlc_target.rs"
 
 [[bin]]
 name = "msg_accept_channel_target"
@@ -123,3 +123,31 @@ path = "fuzz_targets/msg_targets/msg_update_fail_htlc_target.rs"
 [[bin]]
 name = "msg_channel_reestablish_target"
 path = "fuzz_targets/msg_targets/msg_channel_reestablish_target.rs"
+
+[[bin]]
+name = "msg_announcement_signatures_target"
+path = "fuzz_targets/msg_targets/msg_announcement_signatures_target.rs"
+
+[[bin]]
+name = "msg_channel_announcement_target"
+path = "fuzz_targets/msg_targets/msg_channel_announcement_target.rs"
+
+[[bin]]
+name = "msg_channel_update_target"
+path = "fuzz_targets/msg_targets/msg_channel_update_target.rs"
+
+[[bin]]
+name = "msg_decoded_onion_error_packet_target"
+path = "fuzz_targets/msg_targets/msg_decoded_onion_error_packet_target.rs"
+
+[[bin]]
+name = "msg_init_target"
+path = "fuzz_targets/msg_targets/msg_init_target.rs"
+
+[[bin]]
+name = "msg_node_announcement_target"
+path = "fuzz_targets/msg_targets/msg_node_announcement_target.rs"
+
+[[bin]]
+name = "msg_onion_hop_data_target"
+path = "fuzz_targets/msg_targets/msg_onion_hop_data_target.rs"

fuzz/fuzz_targets/channel_target.rs

@@ -124,6 +124,7 @@ pub fn do_test(data: &[u8]) {
 				Ok(msg) => msg,
 				Err(e) => match e {
 					msgs::DecodeError::UnknownRealmByte => return,
+					msgs::DecodeError::UnknownRequiredFeature => return,
 					msgs::DecodeError::BadPublicKey => return,
 					msgs::DecodeError::BadSignature => return,
 					msgs::DecodeError::BadText => return,
@@ -146,6 +147,7 @@ pub fn do_test(data: &[u8]) {
 					Ok(msg) => msg,
 					Err(e) => match e {
 						msgs::DecodeError::UnknownRealmByte => return,
+						msgs::DecodeError::UnknownRequiredFeature => return,
 						msgs::DecodeError::BadPublicKey => return,
 						msgs::DecodeError::BadSignature => return,
 						msgs::DecodeError::BadText => return,

fuzz/fuzz_targets/msg_targets/gen_target.sh

@@ -1,5 +1,33 @@
-for target in CommitmentSigned FundingCreated FundingLocked FundingSigned OpenChannel RevokeAndACK Shutdown UpdateFailHTLC UpdateFailMalformedHTLC UpdateFee UpdateFulfillHTLC AcceptChannel ClosingSigned ChannelReestablish; do
-	tn=$(echo $target | sed 's/\([a-z0-9]\)\([A-Z]\)/\1_\2/g')
+#!/bin/sh
+
+GEN_TEST() {
+	tn=$(echo $1 | sed 's/\([a-z0-9]\)\([A-Z]\)/\1_\2/g')
 	fn=msg_$(echo $tn | tr '[:upper:]' '[:lower:]')_target.rs
-	cat msg_target_template.txt | sed s/MSG_TARGET/$target/ > $fn
-done
+	cat msg_target_template.txt | sed s/MSG_TARGET/$1/ | sed "s/TEST_MSG/$2/" | sed "s/EXTRA_ARGS/$3/" > $fn
+}
+
+GEN_TEST AcceptChannel test_msg ""
+GEN_TEST AnnouncementSignatures test_msg ""
+GEN_TEST ChannelReestablish test_msg ""
+GEN_TEST ClosingSigned test_msg ""
+GEN_TEST CommitmentSigned test_msg ""
+GEN_TEST DecodedOnionErrorPacket test_msg ""
+GEN_TEST FundingCreated test_msg ""
+GEN_TEST FundingLocked test_msg ""
+GEN_TEST FundingSigned test_msg ""
+GEN_TEST Init test_msg ""
+GEN_TEST OpenChannel test_msg ""
+GEN_TEST RevokeAndACK test_msg ""
+GEN_TEST Shutdown test_msg ""
+GEN_TEST UpdateFailHTLC test_msg ""
+GEN_TEST UpdateFailMalformedHTLC test_msg ""
+GEN_TEST UpdateFee test_msg ""
+GEN_TEST UpdateFulfillHTLC test_msg ""
+
+GEN_TEST ChannelAnnouncement test_msg_exact ""
+GEN_TEST ChannelUpdate test_msg_exact ""
+GEN_TEST NodeAnnouncement test_msg_exact ""
+
+GEN_TEST UpdateAddHTLC test_msg_hole ", 85, 33"
+GEN_TEST ErrorMessage test_msg_hole ", 32, 2"
+GEN_TEST OnionHopData test_msg_hole ", 1+8+8+4, 12"

fuzz/fuzz_targets/msg_targets/msg_announcement_signatures_target.rs

@@ -0,0 +1,46 @@
+// This file is auto-generated by gen_target.sh based on msg_target_template.txt
+// To modify it, modify msg_target_template.txt and run gen_target.sh instead.
+
+extern crate lightning;
+
+use lightning::ln::msgs;
+use lightning::util::reset_rng_state;
+
+use lightning::ln::msgs::{MsgEncodable, MsgDecodable};
+
+mod utils;
+
+#[inline]
+pub fn do_test(data: &[u8]) {
+	reset_rng_state();
+	test_msg!(msgs::AnnouncementSignatures, data);
+}
+
+#[cfg(feature = "afl")]
+#[macro_use] extern crate afl;
+#[cfg(feature = "afl")]
+fn main() {
+	fuzz!(|data| {
+		do_test(data);
+	});
+}
+
+#[cfg(feature = "honggfuzz")]
+#[macro_use] extern crate honggfuzz;
+#[cfg(feature = "honggfuzz")]
+fn main() {
+	loop {
+		fuzz!(|data| {
+			do_test(data);
+		});
+	}
+}
+
+extern crate hex;
+#[cfg(test)]
+mod tests {
+	#[test]
+	fn duplicate_crash() {
+		super::do_test(&::hex::decode("00").unwrap());
+	}
+}

fuzz/fuzz_targets/msg_targets/msg_channel_announcement_target.rs

@@ -0,0 +1,46 @@
+// This file is auto-generated by gen_target.sh based on msg_target_template.txt
+// To modify it, modify msg_target_template.txt and run gen_target.sh instead.
+
+extern crate lightning;
+
+use lightning::ln::msgs;
+use lightning::util::reset_rng_state;
+
+use lightning::ln::msgs::{MsgEncodable, MsgDecodable};
+
+mod utils;
+
+#[inline]
+pub fn do_test(data: &[u8]) {
+	reset_rng_state();
+	test_msg_exact!(msgs::ChannelAnnouncement, data);
+}
+
+#[cfg(feature = "afl")]
+#[macro_use] extern crate afl;
+#[cfg(feature = "afl")]
+fn main() {
+	fuzz!(|data| {
+		do_test(data);
+	});
+}
+
+#[cfg(feature = "honggfuzz")]
+#[macro_use] extern crate honggfuzz;
+#[cfg(feature = "honggfuzz")]
+fn main() {
+	loop {
+		fuzz!(|data| {
+			do_test(data);
+		});
+	}
+}
+
+extern crate hex;
+#[cfg(test)]
+mod tests {
+	#[test]
+	fn duplicate_crash() {
+		super::do_test(&::hex::decode("00").unwrap());
+	}
+}

fuzz/fuzz_targets/msg_update_add_htlc_target.rs → fuzz/fuzz_targets/msg_targets/msg_channel_update_target.rs

@@ -1,18 +1,19 @@
+// This file is auto-generated by gen_target.sh based on msg_target_template.txt
+// To modify it, modify msg_target_template.txt and run gen_target.sh instead.
+
 extern crate lightning;
 
 use lightning::ln::msgs;
 use lightning::util::reset_rng_state;
 
 use lightning::ln::msgs::{MsgEncodable, MsgDecodable};
 
+mod utils;
+
 #[inline]
 pub fn do_test(data: &[u8]) {
 	reset_rng_state();
-	if let Ok(msg) = msgs::UpdateAddHTLC::decode(data){
-		let enc = msg.encode();
-		assert_eq!(&data[0..85], &enc[0..85]);
-		assert_eq!(&data[85+33..enc.len()], &enc[85+33..]);
-	}
+	test_msg_exact!(msgs::ChannelUpdate, data);
 }
 
 #[cfg(feature = "afl")]

fuzz/fuzz_targets/msg_targets/msg_decoded_onion_error_packet_target.rs

@@ -0,0 +1,46 @@
+// This file is auto-generated by gen_target.sh based on msg_target_template.txt
+// To modify it, modify msg_target_template.txt and run gen_target.sh instead.
+
+extern crate lightning;
+
+use lightning::ln::msgs;
+use lightning::util::reset_rng_state;
+
+use lightning::ln::msgs::{MsgEncodable, MsgDecodable};
+
+mod utils;
+
+#[inline]
+pub fn do_test(data: &[u8]) {
+	reset_rng_state();
+	test_msg!(msgs::DecodedOnionErrorPacket, data);
+}
+
+#[cfg(feature = "afl")]
+#[macro_use] extern crate afl;
+#[cfg(feature = "afl")]
+fn main() {
+	fuzz!(|data| {
+		do_test(data);
+	});
+}
+
+#[cfg(feature = "honggfuzz")]
+#[macro_use] extern crate honggfuzz;
+#[cfg(feature = "honggfuzz")]
+fn main() {
+	loop {
+		fuzz!(|data| {
+			do_test(data);
+		});
+	}
+}
+
+extern crate hex;
+#[cfg(test)]
+mod tests {
+	#[test]
+	fn duplicate_crash() {
+		super::do_test(&::hex::decode("00").unwrap());
+	}
+}

fuzz/fuzz_targets/msg_targets/msg_error_message_target.rs

@@ -0,0 +1,46 @@
+// This file is auto-generated by gen_target.sh based on msg_target_template.txt
+// To modify it, modify msg_target_template.txt and run gen_target.sh instead.
+
+extern crate lightning;
+
+use lightning::ln::msgs;
+use lightning::util::reset_rng_state;
+
+use lightning::ln::msgs::{MsgEncodable, MsgDecodable};
+
+mod utils;
+
+#[inline]
+pub fn do_test(data: &[u8]) {
+	reset_rng_state();
+	test_msg_hole!(msgs::ErrorMessage, data, 32, 2);
+}
+
+#[cfg(feature = "afl")]
+#[macro_use] extern crate afl;
+#[cfg(feature = "afl")]
+fn main() {
+	fuzz!(|data| {
+		do_test(data);
+	});
+}
+
+#[cfg(feature = "honggfuzz")]
+#[macro_use] extern crate honggfuzz;
+#[cfg(feature = "honggfuzz")]
+fn main() {
+	loop {
+		fuzz!(|data| {
+			do_test(data);
+		});
+	}
+}
+
+extern crate hex;
+#[cfg(test)]
+mod tests {
+	#[test]
+	fn duplicate_crash() {
+		super::do_test(&::hex::decode("00").unwrap());
+	}
+}

fuzz/fuzz_targets/msg_error_message_target.rs → fuzz/fuzz_targets/msg_targets/msg_init_target.rs

@@ -1,18 +1,19 @@
+// This file is auto-generated by gen_target.sh based on msg_target_template.txt
+// To modify it, modify msg_target_template.txt and run gen_target.sh instead.
+
 extern crate lightning;
 
 use lightning::ln::msgs;
 use lightning::util::reset_rng_state;
 
 use lightning::ln::msgs::{MsgEncodable, MsgDecodable};
 
+mod utils;
+
 #[inline]
 pub fn do_test(data: &[u8]) {
 	reset_rng_state();
-	if let Ok(msg) = msgs::ErrorMessage::decode(data){
-		let enc = msg.encode();
-		assert_eq!(&data[0..32], &enc[0..32]);
-		assert_eq!(&data[34..enc.len()], &enc[34..]);
-	}
+	test_msg!(msgs::Init, data);
 }
 
 #[cfg(feature = "afl")]

fuzz/fuzz_targets/msg_targets/msg_node_announcement_target.rs

@@ -0,0 +1,46 @@
+// This file is auto-generated by gen_target.sh based on msg_target_template.txt
+// To modify it, modify msg_target_template.txt and run gen_target.sh instead.
+
+extern crate lightning;
+
+use lightning::ln::msgs;
+use lightning::util::reset_rng_state;
+
+use lightning::ln::msgs::{MsgEncodable, MsgDecodable};
+
+mod utils;
+
+#[inline]
+pub fn do_test(data: &[u8]) {
+	reset_rng_state();
+	test_msg_exact!(msgs::NodeAnnouncement, data);
+}
+
+#[cfg(feature = "afl")]
+#[macro_use] extern crate afl;
+#[cfg(feature = "afl")]
+fn main() {
+	fuzz!(|data| {
+		do_test(data);
+	});
+}
+
+#[cfg(feature = "honggfuzz")]
+#[macro_use] extern crate honggfuzz;
+#[cfg(feature = "honggfuzz")]
+fn main() {
+	loop {
+		fuzz!(|data| {
+			do_test(data);
+		});
+	}
+}
+
+extern crate hex;
+#[cfg(test)]
+mod tests {
+	#[test]
+	fn duplicate_crash() {
+		super::do_test(&::hex::decode("00").unwrap());
+	}
+}