From 50bffd67c237c6c1eebc7e8a535fce0d495af763 Mon Sep 17 00:00:00 2001
From: Rusty Russell <rusty@rustcorp.com.au>
Date: Wed, 29 Jun 2016 06:49:20 +0930
Subject: [PATCH] daemon: don't save invalid commit signatures.

We don't want anyone to think the commitment tx is signed, so only
assign ci->sig after validation.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---
 daemon/packets.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/daemon/packets.c b/daemon/packets.c
index 1abbc9a97..d7dc13a13 100644
--- a/daemon/packets.c
+++ b/daemon/packets.c
@@ -526,21 +526,29 @@ static Pkt *check_and_save_commit_sig(struct peer *peer,
 				      struct commit_info *ci,
 				      const Signature *pb)
 {
+	struct bitcoin_signature *sig = tal(ci, struct bitcoin_signature);
+
 	assert(!ci->sig);
-	ci->sig = tal(ci, struct bitcoin_signature);
-	ci->sig->stype = SIGHASH_ALL;
-	if (!proto_to_signature(pb, &ci->sig->sig))
+	sig->stype = SIGHASH_ALL;
+	if (!proto_to_signature(pb, &sig->sig))
 		return pkt_err(peer, "Malformed signature");
 
+	log_debug(peer->log, "Checking sig for %u/%u msatoshis, %zu/%zu htlcs",
+		  ci->cstate->side[OURS].pay_msat,
+		  ci->cstate->side[THEIRS].pay_msat,
+		  tal_count(ci->cstate->side[OURS].htlcs),
+		  tal_count(ci->cstate->side[THEIRS].htlcs));
+
 	/* Their sig should sign our commit tx. */
 	if (!check_tx_sig(peer->dstate->secpctx,
 			  ci->tx, 0,
 			  NULL, 0,
 			  peer->anchor.witnessscript,
 			  &peer->remote.commitkey,
-			  ci->sig))
+			  sig))
 		return pkt_err(peer, "Bad signature");
 
+	ci->sig = sig;
 	return NULL;
 }