WIP: Limit TLV stream decoding to type ranges

jkczyz · jkczyz · commit ff368a4ae16a · 2022-10-07T16:05:49.000-05:00
diff --git a/lightning/src/offers/invoice_request.rs b/lightning/src/offers/invoice_request.rs
@@ -56,11 +56,12 @@ use bitcoin::secp256k1::schnorr::Signature;
 use core::convert::TryFrom;
 use io;
 use ln::features::OfferFeatures;
+use ln::msgs::DecodeError;
 use offers::merkle::{SignatureTlvStream, SignatureTlvStreamRef, self};
 use offers::offer::{Amount, Offer, OfferContents, OfferTlvStream, OfferTlvStreamRef};
 use offers::parse::{ParseError, SemanticError};
 use offers::payer::{PayerContents, PayerTlvStream, PayerTlvStreamRef};
-use util::ser::{HighZeroBytesDroppedBigSize, Readable, WithoutLength, Writeable, Writer};
+use util::ser::{HighZeroBytesDroppedBigSize, SeekReadable, WithoutLength, Writeable, Writer};
 
 use prelude::*;
 
@@ -341,12 +342,19 @@ impl TryFrom<Vec<u8>> for InvoiceRequest {
 	type Error = ParseError;
 
 	fn try_from(bytes: Vec<u8>) -> Result<Self, Self::Error> {
-		let tlv_stream: FullInvoiceRequestTlvStream = Readable::read(&mut &bytes[..])?;
+		let mut cursor = io::Cursor::new(bytes);
+		let tlv_stream: FullInvoiceRequestTlvStream = SeekReadable::read(&mut cursor)?;
+
+		if cursor.position() < cursor.get_ref().len() as u64 {
+			return Err(ParseError::Decode(DecodeError::InvalidValue));
+		}
+
+		let bytes = cursor.into_inner();
 		InvoiceRequest::try_from((bytes, tlv_stream))
 	}
 }
 
-tlv_stream!(InvoiceRequestTlvStream, InvoiceRequestTlvStreamRef, {
+tlv_stream!(InvoiceRequestTlvStream, InvoiceRequestTlvStreamRef, 80..160, {
 	(80, chain: ChainHash),
 	(82, amount: (u64, HighZeroBytesDroppedBigSize)),
 	(84, features: OfferFeatures),
@@ -360,6 +368,17 @@ type ParsedInvoiceRequest = (Vec<u8>, FullInvoiceRequestTlvStream);
 type FullInvoiceRequestTlvStream =
 	(PayerTlvStream, OfferTlvStream, InvoiceRequestTlvStream, SignatureTlvStream);
 
+impl SeekReadable for FullInvoiceRequestTlvStream {
+	fn read<R: io::Read + io::Seek>(r: &mut R) -> Result<Self, DecodeError> {
+		let payer = SeekReadable::read(r)?;
+		let offer = SeekReadable::read(r)?;
+		let invoice_request = SeekReadable::read(r)?;
+		let signature = SeekReadable::read(r)?;
+
+		Ok((payer, offer, invoice_request, signature))
+	}
+}
+
 type PartialInvoiceRequestTlvStream = (PayerTlvStream, OfferTlvStream, InvoiceRequestTlvStream);
 
 type PartialInvoiceRequestTlvStreamRef<'a> = (
@@ -448,3 +467,40 @@ impl TryFrom<PartialInvoiceRequestTlvStream> for InvoiceRequestContents {
 		})
 	}
 }
+
+#[cfg(test)]
+mod tests {
+	use super::InvoiceRequest;
+
+	use bitcoin::secp256k1::{KeyPair, Secp256k1, SecretKey};
+	use core::convert::TryFrom;
+	use ln::msgs::DecodeError;
+	use offers::offer::OfferBuilder;
+	use offers::parse::ParseError;
+	use util::ser::{BigSize, Writeable};
+
+	#[test]
+	fn fails_parsing_invoice_request_with_extra_tlv_records() {
+		let secp_ctx = Secp256k1::new();
+		let keys = KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[42; 32]).unwrap());
+		let invoice_request = OfferBuilder::new("foo".into(), keys.public_key())
+			.build()
+			.unwrap()
+			.request_invoice(keys.public_key())
+			.build()
+			.unwrap()
+			.sign(|digest| secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+			.unwrap();
+
+		let mut encoded_invoice_request = Vec::new();
+		invoice_request.write(&mut encoded_invoice_request).unwrap();
+		BigSize(1002).write(&mut encoded_invoice_request).unwrap();
+		BigSize(32).write(&mut encoded_invoice_request).unwrap();
+		[42u8; 32].write(&mut encoded_invoice_request).unwrap();
+
+		match InvoiceRequest::try_from(encoded_invoice_request) {
+			Ok(_) => panic!("expected error"),
+			Err(e) => assert_eq!(e, ParseError::Decode(DecodeError::InvalidValue)),
+		}
+	}
+}
diff --git a/lightning/src/offers/merkle.rs b/lightning/src/offers/merkle.rs
@@ -19,7 +19,7 @@ use prelude::*;
 /// Valid type range for signature TLV records.
 const SIGNATURE_TYPES: core::ops::RangeInclusive<u64> = 240..=1000;
 
-tlv_stream!(SignatureTlvStream, SignatureTlvStreamRef, {
+tlv_stream!(SignatureTlvStream, SignatureTlvStreamRef, SIGNATURE_TYPES, {
 	(240, signature: Signature),
 });
 
diff --git a/lightning/src/offers/offer.rs b/lightning/src/offers/offer.rs
@@ -77,11 +77,11 @@ use core::str::FromStr;
 use core::time::Duration;
 use io;
 use ln::features::OfferFeatures;
-use ln::msgs::MAX_VALUE_MSAT;
+use ln::msgs::{DecodeError, MAX_VALUE_MSAT};
 use offers::invoice_request::InvoiceRequestBuilder;
 use offers::parse::{Bech32Encode, ParseError, SemanticError};
 use onion_message::BlindedPath;
-use util::ser::{HighZeroBytesDroppedBigSize, Readable, WithoutLength, Writeable, Writer};
+use util::ser::{HighZeroBytesDroppedBigSize, SeekReadable, WithoutLength, Writeable, Writer};
 use util::string::PrintableString;
 
 use prelude::*;
@@ -499,7 +499,14 @@ impl TryFrom<Vec<u8>> for Offer {
 	type Error = ParseError;
 
 	fn try_from(bytes: Vec<u8>) -> Result<Self, Self::Error> {
-		let tlv_stream: OfferTlvStream = Readable::read(&mut &bytes[..])?;
+		let mut cursor = io::Cursor::new(bytes);
+		let tlv_stream: OfferTlvStream = SeekReadable::read(&mut cursor)?;
+
+		if cursor.position() < cursor.get_ref().len() as u64 {
+			return Err(ParseError::Decode(DecodeError::InvalidValue));
+		}
+
+		let bytes = cursor.into_inner();
 		Offer::try_from((bytes, tlv_stream))
 	}
 }
@@ -535,7 +542,7 @@ impl Amount {
 /// An ISO 4712 three-letter currency code (e.g., USD).
 pub type CurrencyCode = [u8; 3];
 
-tlv_stream!(OfferTlvStream, OfferTlvStreamRef, {
+tlv_stream!(OfferTlvStream, OfferTlvStreamRef, 1..80, {
 	(2, chains: (Vec<ChainHash>, WithoutLength)),
 	(4, metadata: (Vec<u8>, WithoutLength)),
 	(6, currency: CurrencyCode),
@@ -651,10 +658,10 @@ mod tests {
 	use core::num::NonZeroU64;
 	use core::time::Duration;
 	use ln::features::OfferFeatures;
-	use ln::msgs::MAX_VALUE_MSAT;
+	use ln::msgs::{DecodeError, MAX_VALUE_MSAT};
 	use offers::parse::{ParseError, SemanticError};
 	use onion_message::{BlindedHop, BlindedPath};
-	use util::ser::Writeable;
+	use util::ser::{BigSize, Writeable};
 	use util::string::PrintableString;
 
 	fn pubkey(byte: u8) -> PublicKey {
@@ -1192,6 +1199,22 @@ mod tests {
 			Err(e) => assert_eq!(e, ParseError::InvalidSemantics(SemanticError::MissingNodeId)),
 		}
 	}
+
+	#[test]
+	fn fails_parsing_offer_with_extra_tlv_records() {
+		let offer = OfferBuilder::new("foo".into(), pubkey(42)).build().unwrap();
+
+		let mut encoded_offer = Vec::new();
+		offer.write(&mut encoded_offer).unwrap();
+		BigSize(80).write(&mut encoded_offer).unwrap();
+		BigSize(32).write(&mut encoded_offer).unwrap();
+		[42u8; 32].write(&mut encoded_offer).unwrap();
+
+		match Offer::try_from(encoded_offer) {
+			Ok(_) => panic!("expected error"),
+			Err(e) => assert_eq!(e, ParseError::Decode(DecodeError::InvalidValue)),
+		}
+	}
 }
 
 #[cfg(test)]
diff --git a/lightning/src/offers/payer.rs b/lightning/src/offers/payer.rs
@@ -20,6 +20,6 @@ use prelude::*;
 #[derive(Clone, Debug)]
 pub(crate) struct PayerContents(pub Option<Vec<u8>>);
 
-tlv_stream!(PayerTlvStream, PayerTlvStreamRef, {
+tlv_stream!(PayerTlvStream, PayerTlvStreamRef, 0..1, {
 	(0, metadata: (Vec<u8>, WithoutLength)),
 });
diff --git a/lightning/src/util/ser.rs b/lightning/src/util/ser.rs
@@ -11,7 +11,7 @@
 //! as ChannelsManagers and ChannelMonitors.
 
 use prelude::*;
-use io::{self, Read, Write};
+use io::{self, Read, Seek, Write};
 use io_extras::{copy, sink};
 use core::hash::Hash;
 use sync::Mutex;
@@ -220,6 +220,13 @@ pub trait Readable
 	fn read<R: Read>(reader: &mut R) -> Result<Self, DecodeError>;
 }
 
+/// A trait that various rust-lightning types implement allowing them to be read in from a
+/// `Read + Seek`.
+pub(crate) trait SeekReadable where Self: Sized {
+	/// Reads a Self in from the given Read
+	fn read<R: Read + Seek>(reader: &mut R) -> Result<Self, DecodeError>;
+}
+
 /// A trait that various higher-level rust-lightning types implement allowing them to be read in
 /// from a Read given some additional set of arguments which is required to deserialize.
 ///
diff --git a/lightning/src/util/ser_macros.rs b/lightning/src/util/ser_macros.rs
@@ -197,6 +197,14 @@ macro_rules! decode_tlv {
 
 macro_rules! decode_tlv_stream {
 	($stream: expr, {$(($type: expr, $field: ident, $fieldty: tt)),* $(,)*}) => { {
+		let rewind = |_, _| { unreachable!() };
+		use core::ops::RangeBounds;
+		decode_tlv_stream_range!($stream, .., rewind, {$(($type, $field, $fieldty)),*});
+	} }
+}
+
+macro_rules! decode_tlv_stream_range {
+	($stream: expr, $range: expr, $rewind: ident, {$(($type: expr, $field: ident, $fieldty: tt)),* $(,)*}) => { {
 		use ln::msgs::DecodeError;
 		let mut last_seen_type: Option<u64> = None;
 		let mut stream_ref = $stream;
@@ -210,7 +218,7 @@ macro_rules! decode_tlv_stream {
 				// UnexpectedEof. This should in every case be largely cosmetic, but its nice to
 				// pass the TLV test vectors exactly, which requre this distinction.
 				let mut tracking_reader = ser::ReadTrackingReader::new(&mut stream_ref);
-				match ser::Readable::read(&mut tracking_reader) {
+				match <ser::BigSize as ser::Readable>::read(&mut tracking_reader) {
 					Err(DecodeError::ShortRead) => {
 						if !tracking_reader.have_read {
 							break 'tlv_read;
@@ -219,7 +227,13 @@ macro_rules! decode_tlv_stream {
 						}
 					},
 					Err(e) => return Err(e),
-					Ok(t) => t,
+					Ok(t) => if $range.contains(&t.0) { t } else {
+						use util::ser::Writeable;
+						drop(tracking_reader);
+						let bytes_read = t.serialized_length();
+						$rewind(stream_ref, bytes_read);
+						break 'tlv_read;
+					},
 				}
 			};
 
@@ -458,7 +472,7 @@ macro_rules! impl_writeable_tlv_based {
 /// [`Readable`]: crate::util::ser::Readable
 /// [`Writeable`]: crate::util::ser::Writeable
 macro_rules! tlv_stream {
-	($name:ident, $nameref:ident, {
+	($name:ident, $nameref:ident, $range:expr, {
 		$(($type:expr, $field:ident : $fieldty:tt)),* $(,)*
 	}) => {
 		#[derive(Debug)]
@@ -483,12 +497,15 @@ macro_rules! tlv_stream {
 			}
 		}
 
-		impl ::util::ser::Readable for $name {
-			fn read<R: $crate::io::Read>(reader: &mut R) -> Result<Self, ::ln::msgs::DecodeError> {
+		impl ::util::ser::SeekReadable for $name {
+			fn read<R: $crate::io::Read + $crate::io::Seek>(reader: &mut R) -> Result<Self, ::ln::msgs::DecodeError> {
 				$(
 					init_tlv_field_var!($field, option);
 				)*
-				decode_tlv_stream!(reader, {
+				let rewind = |cursor: &mut R, offset: usize| {
+					cursor.seek($crate::io::SeekFrom::Current(-(offset as i64))).expect("");
+				};
+				decode_tlv_stream_range!(reader, $range, rewind, {
 					$(($type, $field, (option, encoding: $fieldty))),*
 				});
 
