Skip to content

Enforce minimum witness program length for fallback addresses in BOLT11 parsing#8219

Merged
rustyrussell merged 1 commit intoElementsProject:masterfrom
erickcestari:minimun-witness-fallback
Apr 15, 2025
Merged

Enforce minimum witness program length for fallback addresses in BOLT11 parsing#8219
rustyrussell merged 1 commit intoElementsProject:masterfrom
erickcestari:minimun-witness-fallback

Conversation

@erickcestari
Copy link
Contributor

@erickcestari erickcestari commented Apr 8, 2025

This PR fixes an issue with BOLT11 fallback address validation discovered through differential fuzzing between Lightning implementations. Core Lightning was accepting invoices with non-standard witness address fallbacks that other implementations correctly reject.

While comparing parse results from LND, LDK, and Core Lightning using the bitcoinfuzz PR #132, I found that Core Lightning enforces the 40-byte upper limit for witness programs as per BIP-141, but doesn't check the 2-byte minimum length requirement.

The fix is minimal: adding a lower bound check to ensure witness programs are at least 2 bytes long, bringing Core Lightning in line with both the BIP-141 specification and other Lightning implementations.

Checklist

Before submitting the PR, ensure the following tasks are completed. If an item is not applicable to your PR, please mark it as checked:

  • The changelog has been updated in the relevant commit(s) according to the guidelines.
  • Tests have been added or modified to reflect the changes.
  • Documentation has been reviewed and updated as needed.
  • Related issues have been listed and linked, including any that this PR closes.

@erickcestari erickcestari force-pushed the minimun-witness-fallback branch from 3848898 to 1ab463f Compare April 8, 2025 13:20
@erickcestari
common/bolt11: enforce minimum witness program length for fallback ad…
693b277 
…dresses

BIP-141 specifies that a witness program must be between 2 and 40 bytes in
length. In our fallback address parsing, we were already checking the upper
bound, but missing the lower bound check. This commit adds validation to
ensure fallback address witness programs are at least 2 bytes long, bringing
our implementation in line with the spec and other implementations like
rust-lightning.

Changelog-Fixed: Enforced minimum witness program length of 2 bytes for
fallback addresses to comply with BIP-141 and prevent invalid decodings.
@erickcestari erickcestari force-pushed the minimun-witness-fallback branch from 1ab463f to 693b277 Compare April 8, 2025 13:34
vincenzopalazzo
vincenzopalazzo approved these changes Apr 8, 2025
View reviewed changes
Copy link
Collaborator

@vincenzopalazzo vincenzopalazzo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 693b277

The CI changes looks like unrelated

@rustyrussell rustyrussell merged commit d731979 into ElementsProject:master Apr 15, 2025
34 of 40 checks passed
@rustyrussell
Copy link
Contributor

rustyrussell commented Apr 15, 2025

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@vincenzopalazzo vincenzopalazzo vincenzopalazzo approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@erickcestari @rustyrussell @vincenzopalazzo