Skip to content

Enforce minimum witness program length for fallback addresses in BOLT11 parsing #8219

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 15, 2025
Merged

Enforce minimum witness program length for fallback addresses in BOLT11 parsing #8219

merged 1 commit into from
Apr 15, 2025
+1 −1

Conversation

erickcestari
Copy link
Contributor

This PR fixes an issue with BOLT11 fallback address validation discovered through differential fuzzing between Lightning implementations. Core Lightning was accepting invoices with non-standard witness address fallbacks that other implementations correctly reject.

While comparing parse results from LND, LDK, and Core Lightning using the bitcoinfuzz PR #132, I found that Core Lightning enforces the 40-byte upper limit for witness programs as per BIP-141, but doesn't check the 2-byte minimum length requirement.

The fix is minimal: adding a lower bound check to ensure witness programs are at least 2 bytes long, bringing Core Lightning in line with both the BIP-141 specification and other Lightning implementations.

Checklist

Before submitting the PR, ensure the following tasks are completed. If an item is not applicable to your PR, please mark it as checked:

  • The changelog has been updated in the relevant commit(s) according to the guidelines.
  • Tests have been added or modified to reflect the changes.
  • Documentation has been reviewed and updated as needed.
  • Related issues have been listed and linked, including any that this PR closes.

@erickcestari erickcestari force-pushed the minimun-witness-fallback branch from 3848898 to 1ab463f Compare April 8, 2025 13:20
@erickcestari
common/bolt11: enforce minimum witness program length for fallback ad…
693b277 
…dresses

BIP-141 specifies that a witness program must be between 2 and 40 bytes in
length. In our fallback address parsing, we were already checking the upper
bound, but missing the lower bound check. This commit adds validation to
ensure fallback address witness programs are at least 2 bytes long, bringing
our implementation in line with the spec and other implementations like
rust-lightning.

Changelog-Fixed: Enforced minimum witness program length of 2 bytes for
fallback addresses to comply with BIP-141 and prevent invalid decodings.
@erickcestari erickcestari force-pushed the minimun-witness-fallback branch from 1ab463f to 693b277 Compare April 8, 2025 13:34
vincenzopalazzo
vincenzopalazzo approved these changes Apr 8, 2025
View reviewed changes
Copy link
Collaborator

@vincenzopalazzo vincenzopalazzo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 693b277

The CI changes looks like unrelated

@rustyrussell rustyrussell merged commit d731979 into ElementsProject:master Apr 15, 2025
34 of 40 checks passed
@rustyrussell
Copy link
Contributor

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vincenzopalazzo vincenzopalazzo

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@erickcestari @rustyrussell @vincenzopalazzo