lightningd: check scriptpubkey in shutdown.

Important: a non-standard one can make the closing tx not propagate. Drive-by cut&paste message fix, too. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2025-01-17 19:03:42 +01:00 · 2017-06-27 13:21:07 +09:30 · 2017-06-27 13:21:07 +09:30 · ac1172c7b0
commit ac1172c7b0
parent 4881129f54
1 changed files with 22 additions and 1 deletions
--- a/lightningd/peer_control.c
+++ b/lightningd/peer_control.c
@ -970,7 +970,7 @@ static int peer_got_shutdown(struct peer *peer, const u8 *msg)
 	u8 *scriptpubkey;

 	if (!fromwire_channel_got_shutdown(peer, msg, NULL, &scriptpubkey)) {
-		log_broken(peer->log, "bad channel_got_funding_locked %s",
+		log_broken(peer->log, "bad channel_got_shutdown %s",
 			   tal_hex(peer, msg));
 		return -1;
 	}
@ -979,6 +979,27 @@ static int peer_got_shutdown(struct peer *peer, const u8 *msg)
 	peer->remote_shutdown_scriptpubkey
 		= tal_free(peer->remote_shutdown_scriptpubkey);
 	peer->remote_shutdown_scriptpubkey = scriptpubkey;
+
+	/* BOLT #2:
+	 *
+	 * A sending node MUST set `scriptpubkey` to one of the following forms:
+	 *
+	 * 1. `OP_DUP` `OP_HASH160` `20` 20-bytes `OP_EQUALVERIFY` `OP_CHECKSIG`
+	 *   (pay to pubkey hash), OR
+	 * 2. `OP_HASH160` `20` 20-bytes `OP_EQUAL` (pay to script hash), OR
+	 * 3. `OP_0` `20` 20-bytes (version 0 pay to witness pubkey), OR
+	 * 4. `OP_0` `32` 32-bytes (version 0 pay to witness script hash)
+	 *
+	 * A receiving node SHOULD fail the connection if the `scriptpubkey`
+	 * is not one of those forms. */
+	if (!is_p2pkh(scriptpubkey) && !is_p2sh(scriptpubkey)
+	    && !is_p2wpkh(scriptpubkey) && !is_p2wsh(scriptpubkey)) {
+		u8 *msg = (u8 *)tal_fmt(peer, "Bad shutdown scriptpubkey %s",
+					tal_hex(peer, scriptpubkey));
+		peer_fail_permanent(peer, take(msg));
+		return -1;
+	}
+
 	/* FIXME: Save to db */

 	if (peer->local_shutdown_idx == -1) {