lightningdevkit
diff --git a/‎fuzz/Cargo.toml
Lines changed: 4 additions & 0 deletions b/‎fuzz/Cargo.toml
Lines changed: 4 additions & 0 deletions
diff --git a/‎fuzz/fuzz_targets/channel_target.rs
Lines changed: 32 additions & 14 deletions b/‎fuzz/fuzz_targets/channel_target.rs
Lines changed: 32 additions & 14 deletions
diff --git a/‎fuzz/fuzz_targets/router_target.rs
Lines changed: 219 additions & 0 deletions b/‎fuzz/fuzz_targets/router_target.rs
Lines changed: 219 additions & 0 deletions
@@ -42,6 +42,10 @@ path = "fuzz_targets/channel_target.rs"
 name = "full_stack_target"
 path = "fuzz_targets/full_stack_target.rs"
 
+[[bin]]
+name = "router_target"
+path = "fuzz_targets/router_target.rs"
+
 [[bin]]
 name = "chanmon_deser_target"
 path = "fuzz_targets/chanmon_deser_target.rs"
 
@@ -10,7 +10,7 @@ use bitcoin::network::serialize::{serialize, BitcoinHash};
 use lightning::ln::channel::{Channel, ChannelKeys};
 use lightning::ln::channelmanager::{HTLCFailReason, PendingForwardHTLCInfo};
 use lightning::ln::msgs;
-use lightning::ln::msgs::MsgDecodable;
+use lightning::ln::msgs::{MsgDecodable, ErrorAction};
 use lightning::chain::chaininterface::{FeeEstimator, ConfirmationTarget};
 use lightning::chain::transaction::OutPoint;
 use lightning::util::reset_rng_state;
@@ -120,7 +120,8 @@ pub fn do_test(data: &[u8]) {
 					msgs::DecodeError::BadSignature => return,
 					msgs::DecodeError::BadText => return,
 					msgs::DecodeError::ExtraAddressesPerType => return,
-					msgs::DecodeError::WrongLength => panic!("We picked the length..."),
+					msgs::DecodeError::BadLengthDescriptor => return,
+					msgs::DecodeError::ShortRead => panic!("We picked the length..."),
 				}
 			}
 		}
@@ -141,7 +142,8 @@ pub fn do_test(data: &[u8]) {
 						msgs::DecodeError::BadSignature => return,
 						msgs::DecodeError::BadText => return,
 						msgs::DecodeError::ExtraAddressesPerType => return,
-						msgs::DecodeError::WrongLength => panic!("We picked the length..."),
+						msgs::DecodeError::BadLengthDescriptor => return,
+						msgs::DecodeError::ShortRead => panic!("We picked the length..."),
 					}
 				}
 			}
@@ -237,55 +239,71 @@ pub fn do_test(data: &[u8]) {
 	let funding_locked = decode_msg!(msgs::FundingLocked, 32+33);
 	return_err!(channel.funding_locked(&funding_locked));
 
+	macro_rules! test_err {
+		($expr: expr) => {
+			match $expr {
+				Ok(r) => Some(r),
+				Err(e) => match e.action {
+					None => return,
+					Some(ErrorAction::UpdateFailHTLC {..}) => None,
+					Some(ErrorAction::DisconnectPeer {..}) => return,
+					Some(ErrorAction::IgnoreError) => None,
+					Some(ErrorAction::SendErrorMessage {..}) => None,
+				},
+			}
+		}
+	}
+
 	loop {
 		match get_slice!(1)[0] {
 			0 => {
-				return_err!(channel.send_htlc(slice_to_be64(get_slice!(8)), [42; 32], slice_to_be32(get_slice!(4)), msgs::OnionPacket {
+				test_err!(channel.send_htlc(slice_to_be64(get_slice!(8)), [42; 32], slice_to_be32(get_slice!(4)), msgs::OnionPacket {
 					version: get_slice!(1)[0],
 					public_key: get_pubkey!(),
 					hop_data: [0; 20*65],
 					hmac: [0; 32],
 				}));
 			},
 			1 => {
-				return_err!(channel.send_commitment());
+				test_err!(channel.send_commitment());
 			},
 			2 => {
 				let update_add_htlc = decode_msg!(msgs::UpdateAddHTLC, 32+8+8+32+4+4+33+20*65+32);
-				return_err!(channel.update_add_htlc(&update_add_htlc, PendingForwardHTLCInfo::dummy()));
+				test_err!(channel.update_add_htlc(&update_add_htlc, PendingForwardHTLCInfo::dummy()));
 			},
 			3 => {
 				let update_fulfill_htlc = decode_msg!(msgs::UpdateFulfillHTLC, 32 + 8 + 32);
-				return_err!(channel.update_fulfill_htlc(&update_fulfill_htlc));
+				test_err!(channel.update_fulfill_htlc(&update_fulfill_htlc));
 			},
 			4 => {
 				let update_fail_htlc = decode_msg_with_len16!(msgs::UpdateFailHTLC, 32 + 8, 1);
-				return_err!(channel.update_fail_htlc(&update_fail_htlc, HTLCFailReason::dummy()));
+				test_err!(channel.update_fail_htlc(&update_fail_htlc, HTLCFailReason::dummy()));
 			},
 			5 => {
 				let update_fail_malformed_htlc = decode_msg!(msgs::UpdateFailMalformedHTLC, 32+8+32+2);
-				return_err!(channel.update_fail_malformed_htlc(&update_fail_malformed_htlc, HTLCFailReason::dummy()));
+				test_err!(channel.update_fail_malformed_htlc(&update_fail_malformed_htlc, HTLCFailReason::dummy()));
 			},
 			6 => {
 				let commitment_signed = decode_msg_with_len16!(msgs::CommitmentSigned, 32+64, 64);
-				return_err!(channel.commitment_signed(&commitment_signed));
+				test_err!(channel.commitment_signed(&commitment_signed));
 			},
 			7 => {
 				let revoke_and_ack = decode_msg!(msgs::RevokeAndACK, 32+32+33);
-				return_err!(channel.revoke_and_ack(&revoke_and_ack));
+				test_err!(channel.revoke_and_ack(&revoke_and_ack));
 			},
 			8 => {
 				let update_fee = decode_msg!(msgs::UpdateFee, 32+4);
-				return_err!(channel.update_fee(&fee_est, &update_fee));
+				test_err!(channel.update_fee(&fee_est, &update_fee));
 			},
 			9 => {
 				let shutdown = decode_msg_with_len16!(msgs::Shutdown, 32, 1);
-				return_err!(channel.shutdown(&fee_est, &shutdown));
+				test_err!(channel.shutdown(&fee_est, &shutdown));
 				if channel.is_shutdown() { return; }
 			},
 			10 => {
 				let closing_signed = decode_msg!(msgs::ClosingSigned, 32+8+64);
-				if return_err!(channel.closing_signed(&fee_est, &closing_signed)).1.is_some() {
+				let sign_res = test_err!(channel.closing_signed(&fee_est, &closing_signed));
+				if sign_res.is_some() && sign_res.unwrap().1.is_some() {
 					assert!(channel.is_shutdown());
 					return;
 				}
 
@@ -0,0 +1,219 @@
+extern crate bitcoin;
+extern crate lightning;
+extern crate secp256k1;
+
+use lightning::ln::channelmanager::ChannelDetails;
+use lightning::ln::msgs;
+use lightning::ln::msgs::{MsgDecodable, RoutingMessageHandler};
+use lightning::ln::router::{Router, RouteHint};
+use lightning::util::reset_rng_state;
+
+use secp256k1::key::PublicKey;
+use secp256k1::Secp256k1;
+
+#[inline]
+pub fn slice_to_be16(v: &[u8]) -> u16 {
+	((v[0] as u16) << 8*1) |
+	((v[1] as u16) << 8*0)
+}
+
+#[inline]
+pub fn slice_to_be32(v: &[u8]) -> u32 {
+	((v[0] as u32) << 8*3) |
+	((v[1] as u32) << 8*2) |
+	((v[2] as u32) << 8*1) |
+	((v[3] as u32) << 8*0)
+}
+
+#[inline]
+pub fn slice_to_be64(v: &[u8]) -> u64 {
+	((v[0] as u64) << 8*7) |
+	((v[1] as u64) << 8*6) |
+	((v[2] as u64) << 8*5) |
+	((v[3] as u64) << 8*4) |
+	((v[4] as u64) << 8*3) |
+	((v[5] as u64) << 8*2) |
+	((v[6] as u64) << 8*1) |
+	((v[7] as u64) << 8*0)
+}
+
+#[inline]
+pub fn do_test(data: &[u8]) {
+	reset_rng_state();
+
+	let mut read_pos = 0;
+	macro_rules! get_slice_nonadvancing {
+		($len: expr) => {
+			{
+				if data.len() < read_pos + $len as usize {
+					return;
+				}
+				&data[read_pos..read_pos + $len as usize]
+			}
+		}
+	}
+	macro_rules! get_slice {
+		($len: expr) => {
+			{
+				let res = get_slice_nonadvancing!($len);
+				read_pos += $len;
+				res
+			}
+		}
+	}
+
+	macro_rules! decode_msg {
+		($MsgType: path, $len: expr) => {
+			match <($MsgType)>::decode(get_slice!($len)) {
+				Ok(msg) => msg,
+				Err(e) => match e {
+					msgs::DecodeError::UnknownRealmByte => return,
+					msgs::DecodeError::BadPublicKey => return,
+					msgs::DecodeError::BadSignature => return,
+					msgs::DecodeError::BadText => return,
+					msgs::DecodeError::ExtraAddressesPerType => return,
+					msgs::DecodeError::BadLengthDescriptor => return,
+					msgs::DecodeError::ShortRead => panic!("We picked the length..."),
+				}
+			}
+		}
+	}
+
+	macro_rules! decode_msg_with_len16 {
+		($MsgType: path, $begin_len: expr, $excess: expr) => {
+			{
+				let extra_len = slice_to_be16(&get_slice_nonadvancing!($begin_len as usize + 2)[$begin_len..$begin_len + 2]);
+				decode_msg!($MsgType, $begin_len as usize + 2 + (extra_len as usize) + $excess)
+			}
+		}
+	}
+
+	let secp_ctx = Secp256k1::new();
+	macro_rules! get_pubkey {
+		() => {
+			match PublicKey::from_slice(&secp_ctx, get_slice!(33)) {
+				Ok(key) => key,
+				Err(_) => return,
+			}
+		}
+	}
+
+	let our_pubkey = get_pubkey!();
+	let router = Router::new(our_pubkey.clone());
+
+	loop {
+		match get_slice!(1)[0] {
+			0 => {
+				let start_len = slice_to_be16(&get_slice_nonadvancing!(64 + 2)[64..64 + 2]) as usize;
+				let addr_len = slice_to_be16(&get_slice_nonadvancing!(64+start_len+2 + 74)[64+start_len+2 + 72..64+start_len+2 + 74]);
+				if addr_len > (37+1)*4 {
+					return;
+				}
+				let _ = router.handle_node_announcement(&decode_msg_with_len16!(msgs::NodeAnnouncement, 64, 288));
+			},
+			1 => {
+				let _ = router.handle_channel_announcement(&decode_msg_with_len16!(msgs::ChannelAnnouncement, 64*4, 32+8+33*4));
+			},
+			2 => {
+				let _ = router.handle_channel_update(&decode_msg!(msgs::ChannelUpdate, 128));
+			},
+			3 => {
+				match get_slice!(1)[0] {
+					0 => {
+						router.handle_htlc_fail_channel_update(&msgs::HTLCFailChannelUpdate::ChannelUpdateMessage {msg: decode_msg!(msgs::ChannelUpdate, 128)});
+					},
+					1 => {
+						let short_channel_id = slice_to_be64(get_slice!(8));
+						router.handle_htlc_fail_channel_update(&msgs::HTLCFailChannelUpdate::ChannelClosed {short_channel_id});
+					},
+					_ => return,
+				}
+			},
+			4 => {
+				let target = get_pubkey!();
+				let mut first_hops_vec = Vec::new();
+				let first_hops = match get_slice!(1)[0] {
+					0 => None,
+					1 => {
+						let count = slice_to_be16(get_slice!(2));
+						for _ in 0..count {
+							first_hops_vec.push(ChannelDetails {
+								channel_id: [0; 32],
+								short_channel_id: Some(slice_to_be64(get_slice!(8))),
+								remote_network_id: get_pubkey!(),
+								channel_value_satoshis: slice_to_be64(get_slice!(8)),
+								user_id: 0,
+							});
+						}
+						Some(&first_hops_vec[..])
+					},
+					_ => return,
+				};
+				let mut last_hops_vec = Vec::new();
+				let last_hops = {
+					let count = slice_to_be16(get_slice!(2));
+					for _ in 0..count {
+						last_hops_vec.push(RouteHint {
+							src_node_id: get_pubkey!(),
+							short_channel_id: slice_to_be64(get_slice!(8)),
+							fee_base_msat: slice_to_be64(get_slice!(8)),
+							fee_proportional_millionths: slice_to_be32(get_slice!(4)),
+							cltv_expiry_delta: slice_to_be16(get_slice!(2)),
+							htlc_minimum_msat: slice_to_be64(get_slice!(8)),
+						});
+					}
+					&last_hops_vec[..]
+				};
+				let _ = router.get_route(&target, first_hops, last_hops, slice_to_be64(get_slice!(8)), slice_to_be32(get_slice!(4)));
+			},
+			_ => return,
+		}
+	}
+}
+
+#[cfg(feature = "afl")]
+extern crate afl;
+#[cfg(feature = "afl")]
+fn main() {
+	afl::read_stdio_bytes(|data| {
+		do_test(&data);
+	});
+}
+
+#[cfg(feature = "honggfuzz")]
+#[macro_use] extern crate honggfuzz;
+#[cfg(feature = "honggfuzz")]
+fn main() {
+	loop {
+		fuzz!(|data| {
+			do_test(data);
+		});
+	}
+}
+
+#[cfg(test)]
+mod tests {
+	fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
+		let mut b = 0;
+		for (idx, c) in hex.as_bytes().iter().enumerate() {
+			b <<= 4;
+			match *c {
+				b'A'...b'F' => b |= c - b'A' + 10,
+				b'a'...b'f' => b |= c - b'a' + 10,
+				b'0'...b'9' => b |= c - b'0',
+				_ => panic!("Bad hex"),
+			}
+			if (idx & 1) == 1 {
+				out.push(b);
+				b = 0;
+			}
+		}
+	}
+
+	#[test]
+	fn duplicate_crash() {
+		let mut a = Vec::new();
+		extend_vec_from_hex("00", &mut a);
+		super::do_test(&a);
+	}
+}