bolt11: avoid reading uninitialized memory

If both databits and *data_len are 0, pull_uint return uninitialized stack memory in *val. Detected by valgrind and UBSan. valgrind: ==173904== Use of uninitialised value of size 8 ==173904== __sanitizer_cov_trace_cmp8 ==173904== decode_c (bolt11.c:292) ==173904== bolt11_decode_nosig (bolt11.c:877) UBSan: common/bolt11.c:79:29: runtime error: shift exponent 64 is too large for 64-bit type 'uint64_t' (aka 'unsigned long') Corpus input e6f7b9744a7d79b2aa4f7c477707bdd3483f40fa triggers the UBSan report, but we didn't previously realize this because UBSan has been disabled in the CI run. We rename the input to indicate its usefulness as a permanent regression test.
2024-11-19 09:54:16 +01:00 · 2023-10-17 10:49:25 -05:00 · 2023-10-17 10:49:25 -05:00 · ee501b035b
commit ee501b035b
parent eeec529031
2 changed files with 5 additions and 1 deletions
--- a/common/bolt11.c
+++ b/common/bolt11.c
@ -76,7 +76,11 @@ static const char *pull_uint(struct hash_u5 *hu5,
 	err = pull_bits(hu5, data, data_len, &be_val, databits, true);
 	if (err)
 		return err;
-	*val = be64_to_cpu(be_val) >> (sizeof(be_val) * CHAR_BIT - databits);
+	if (databits == 0)
+		*val = 0;
+	else
+		*val = be64_to_cpu(be_val) >>
+		       (sizeof(be_val) * CHAR_BIT - databits);
 	return NULL;
 }

--- a/tests/fuzz/corpora/fuzz-bolt11/crash-e6f7b9744a7d79b2aa4f7c477707bdd3483f40fa
+++ b/tests/fuzz/corpora/fuzz-bolt11/crash-e6f7b9744a7d79b2aa4f7c477707bdd3483f40fa