From 032632b4e01120d7ef2c23a4440766a7869ca068 Mon Sep 17 00:00:00 2001
From: eugene <elzeigel@gmail.com>
Date: Fri, 2 Dec 2022 14:51:53 -0500
Subject: [PATCH] multi: update to tlv/v1.1.0 and use new *P2P tlv decoding
 variants

This changes the call-sites in several places to use the *P2P variants
to not trigger an OOM on untrusted input. This makes the code safe with
the new tlv version. Note that the call-sites prior to this change were
also safe.
---
 go.mod                    | 2 +-
 go.sum                    | 5 +++--
 htlcswitch/hop/payload.go | 4 +++-
 lnwire/extra_bytes.go     | 4 +++-
 rpcserver.go              | 4 +++-
 5 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/go.mod b/go.mod
index 5433b550c..d62c7e28d 100644
--- a/go.mod
+++ b/go.mod
@@ -38,7 +38,7 @@ require (
 	github.com/lightningnetwork/lnd/kvdb v1.3.1
 	github.com/lightningnetwork/lnd/queue v1.1.0
 	github.com/lightningnetwork/lnd/ticker v1.1.0
-	github.com/lightningnetwork/lnd/tlv v1.0.3
+	github.com/lightningnetwork/lnd/tlv v1.1.0
 	github.com/lightningnetwork/lnd/tor v1.1.0
 	github.com/ltcsuite/ltcd v0.0.0-20190101042124-f37f8bf35796
 	github.com/miekg/dns v1.1.43
diff --git a/go.sum b/go.sum
index 4003fcfdf..df257febe 100644
--- a/go.sum
+++ b/go.sum
@@ -77,6 +77,7 @@ github.com/btcsuite/btcd v0.22.0-beta.0.20220207191057-4dc4ff7963b4/go.mod h1:7a
 github.com/btcsuite/btcd v0.22.0-beta.0.20220316175102-8d5c75c28923/go.mod h1:taIcYprAW2g6Z9S0gGUxyR+zDwimyDMK5ePOX+iJ2ds=
 github.com/btcsuite/btcd v0.23.0/go.mod h1:0QJIIN1wwIXF/3G/m87gIwGniDMDQqjVn4SZgnFpsYY=
 github.com/btcsuite/btcd v0.23.1/go.mod h1:0QJIIN1wwIXF/3G/m87gIwGniDMDQqjVn4SZgnFpsYY=
+github.com/btcsuite/btcd v0.23.3/go.mod h1:0QJIIN1wwIXF/3G/m87gIwGniDMDQqjVn4SZgnFpsYY=
 github.com/btcsuite/btcd v0.23.4 h1:IzV6qqkfwbItOS/sg/aDfPDsjPP8twrCOE2R93hxMlQ=
 github.com/btcsuite/btcd v0.23.4/go.mod h1:0QJIIN1wwIXF/3G/m87gIwGniDMDQqjVn4SZgnFpsYY=
 github.com/btcsuite/btcd/btcec/v2 v2.1.0/go.mod h1:2VzYrv4Gm4apmbVVsSq5bqf1Ec8v56E48Vt0Y/umPgA=
@@ -459,8 +460,8 @@ github.com/lightningnetwork/lnd/ticker v1.0.0/go.mod h1:iaLXJiVgI1sPANIF2qYYUJXj
 github.com/lightningnetwork/lnd/ticker v1.1.0 h1:ShoBiRP3pIxZHaETndfQ5kEe+S4NdAY1hiX7YbZ4QE4=
 github.com/lightningnetwork/lnd/ticker v1.1.0/go.mod h1:ubqbSVCn6RlE0LazXuBr7/Zi6QT0uQo++OgIRBxQUrk=
 github.com/lightningnetwork/lnd/tlv v1.0.2/go.mod h1:fICAfsqk1IOsC1J7G9IdsWX1EqWRMqEDCNxZJSKr9C4=
-github.com/lightningnetwork/lnd/tlv v1.0.3 h1:0xBZcPuXagP6f7TY/RnLNR4igE21ov6qUdTr5NyvhhI=
-github.com/lightningnetwork/lnd/tlv v1.0.3/go.mod h1:dzR/aZetBri+ZY/fHbwV06fNn/3UID6htQzbHfREFdo=
+github.com/lightningnetwork/lnd/tlv v1.1.0 h1:gsyte75HVuA/X59O+BhaISHM6OobZ0YesPbdu+xG1h0=
+github.com/lightningnetwork/lnd/tlv v1.1.0/go.mod h1:0+JKp4un47MG1lnj6jKa8woNeB1X7w3yF4MZB1NHiiE=
 github.com/lightningnetwork/lnd/tor v1.0.0/go.mod h1:RDtaAdwfAm+ONuPYwUhNIH1RAvKPv+75lHPOegUcz64=
 github.com/lightningnetwork/lnd/tor v1.1.0 h1:iXO7fSzjxTI+p88KmtpbuyuRJeNfgtpl9QeaAliILXE=
 github.com/lightningnetwork/lnd/tor v1.1.0/go.mod h1:RDtaAdwfAm+ONuPYwUhNIH1RAvKPv+75lHPOegUcz64=
diff --git a/htlcswitch/hop/payload.go b/htlcswitch/hop/payload.go
index be7be5eeb..d4672766c 100644
--- a/htlcswitch/hop/payload.go
+++ b/htlcswitch/hop/payload.go
@@ -139,7 +139,9 @@ func NewPayloadFromReader(r io.Reader) (*Payload, error) {
 		return nil, err
 	}
 
-	parsedTypes, err := tlvStream.DecodeWithParsedTypes(r)
+	// Since this data is provided by a potentially malicious peer, pass it
+	// into the P2P decoding variant.
+	parsedTypes, err := tlvStream.DecodeWithParsedTypesP2P(r)
 	if err != nil {
 		return nil, err
 	}
diff --git a/lnwire/extra_bytes.go b/lnwire/extra_bytes.go
index 88b914c38..17fd6df67 100644
--- a/lnwire/extra_bytes.go
+++ b/lnwire/extra_bytes.go
@@ -97,7 +97,9 @@ func (e *ExtraOpaqueData) ExtractRecords(recordProducers ...tlv.RecordProducer)
 		return nil, err
 	}
 
-	return tlvStream.DecodeWithParsedTypes(extraBytesReader)
+	// Since ExtraOpaqueData is provided by a potentially malicious peer,
+	// pass it into the P2P decoding variant.
+	return tlvStream.DecodeWithParsedTypesP2P(extraBytesReader)
 }
 
 // EncodeMessageExtraData encodes the given recordProducers into the given
diff --git a/rpcserver.go b/rpcserver.go
index 847e9564c..e954cbc49 100644
--- a/rpcserver.go
+++ b/rpcserver.go
@@ -5760,7 +5760,9 @@ func marshalExtraOpaqueData(data []byte) map[uint64][]byte {
 		return nil
 	}
 
-	parsedTypes, err := tlvStream.DecodeWithParsedTypes(r)
+	// Since ExtraOpaqueData is provided by a potentially malicious peer,
+	// pass it into the P2P decoding variant.
+	parsedTypes, err := tlvStream.DecodeWithParsedTypesP2P(r)
 	if err != nil || len(parsedTypes) == 0 {
 		return nil
 	}