lightningdevkit · valentinewallace · Aug 17, 2022 · Aug 5, 2022 · Jul 24, 2022
diff --git a/fuzz/src/bin/gen_target.sh b/fuzz/src/bin/gen_target.sh
@@ -9,6 +9,7 @@ GEN_TEST() {
 GEN_TEST chanmon_deser
 GEN_TEST chanmon_consistency
 GEN_TEST full_stack
+GEN_TEST onion_message
 GEN_TEST peer_crypt
 GEN_TEST process_network_graph
 GEN_TEST router

diff --git a/fuzz/src/bin/onion_message_target.rs b/fuzz/src/bin/onion_message_target.rs
@@ -0,0 +1,113 @@
+// This file is Copyright its original authors, visible in version control
+// history.
+//
+// This file is licensed under the Apache License, Version 2.0 <LICENSE-APACHE
+// or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
+// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option.
+// You may not use this file except in accordance with one or both of these
+// licenses.
+
+// This file is auto-generated by gen_target.sh based on target_template.txt
+// To modify it, modify target_template.txt and run gen_target.sh instead.
+
+#![cfg_attr(feature = "libfuzzer_fuzz", no_main)]
+
+#[cfg(not(fuzzing))]
+compile_error!("Fuzz targets need cfg=fuzzing");
+
+extern crate lightning_fuzz;
+use lightning_fuzz::onion_message::*;
+
+#[cfg(feature = "afl")]
+#[macro_use] extern crate afl;
+#[cfg(feature = "afl")]
+fn main() {
+	fuzz!(|data| {
+		onion_message_run(data.as_ptr(), data.len());
+	});
+}
+
+#[cfg(feature = "honggfuzz")]
+#[macro_use] extern crate honggfuzz;
+#[cfg(feature = "honggfuzz")]
+fn main() {
+	loop {
+		fuzz!(|data| {
+			onion_message_run(data.as_ptr(), data.len());
+		});
+	}
+}
+
+#[cfg(feature = "libfuzzer_fuzz")]
+#[macro_use] extern crate libfuzzer_sys;
+#[cfg(feature = "libfuzzer_fuzz")]
+fuzz_target!(|data: &[u8]| {
+	onion_message_run(data.as_ptr(), data.len());
+});
+
+#[cfg(feature = "stdin_fuzz")]
+fn main() {
+	use std::io::Read;
+
+	let mut data = Vec::with_capacity(8192);
+	std::io::stdin().read_to_end(&mut data).unwrap();
+	onion_message_run(data.as_ptr(), data.len());
+}
+
+#[test]
+fn run_test_cases() {
+	use std::fs;
+	use std::io::Read;
+	use lightning_fuzz::utils::test_logger::StringBuffer;
+
+	use std::sync::{atomic, Arc};
+	{
+		let data: Vec<u8> = vec![0];
+		onion_message_run(data.as_ptr(), data.len());
+	}
+	let mut threads = Vec::new();
+	let threads_running = Arc::new(atomic::AtomicUsize::new(0));
+	if let Ok(tests) = fs::read_dir("test_cases/onion_message") {
+		for test in tests {
+			let mut data: Vec<u8> = Vec::new();
+			let path = test.unwrap().path();
+			fs::File::open(&path).unwrap().read_to_end(&mut data).unwrap();
+			threads_running.fetch_add(1, atomic::Ordering::AcqRel);
+
+			let thread_count_ref = Arc::clone(&threads_running);
+			let main_thread_ref = std::thread::current();
+			threads.push((path.file_name().unwrap().to_str().unwrap().to_string(),
+				std::thread::spawn(move || {
+					let string_logger = StringBuffer::new();
+
+					let panic_logger = string_logger.clone();
+					let res = if ::std::panic::catch_unwind(move || {
+						onion_message_test(&data, panic_logger);
+					}).is_err() {
+						Some(string_logger.into_string())
+					} else { None };
+					thread_count_ref.fetch_sub(1, atomic::Ordering::AcqRel);
+					main_thread_ref.unpark();
+					res
+				})
+			));
+			while threads_running.load(atomic::Ordering::Acquire) > 32 {
+				std::thread::park();
+			}
+		}
+	}
+	let mut failed_outputs = Vec::new();
+	for (test, thread) in threads.drain(..) {
+		if let Some(output) = thread.join().unwrap() {
+			println!("\nOutput of {}:\n{}\n", test, output);
+			failed_outputs.push(test);
+		}
+	}
+	if !failed_outputs.is_empty() {
+		println!("Test cases which failed: ");
+		for case in failed_outputs {
+			println!("{}", case);
+		}
+		panic!();
+	}
+}
diff --git a/fuzz/src/lib.rs b/fuzz/src/lib.rs
@@ -17,6 +17,7 @@ pub mod utils;
 pub mod chanmon_deser;
 pub mod chanmon_consistency;
 pub mod full_stack;
+pub mod onion_message;
 pub mod peer_crypt;
 pub mod process_network_graph;
 pub mod router;

diff --git a/fuzz/src/onion_message.rs b/fuzz/src/onion_message.rs
diff --git a/fuzz/targets.h b/fuzz/targets.h
@@ -2,6 +2,7 @@
 void chanmon_deser_run(const unsigned char* data, size_t data_len);
 void chanmon_consistency_run(const unsigned char* data, size_t data_len);
 void full_stack_run(const unsigned char* data, size_t data_len);
+void onion_message_run(const unsigned char* data, size_t data_len);
 void peer_crypt_run(const unsigned char* data, size_t data_len);
 void process_network_graph_run(const unsigned char* data, size_t data_len);
 void router_run(const unsigned char* data, size_t data_len);

diff --git a/lightning/src/lib.rs b/lightning/src/lib.rs
@@ -79,6 +79,9 @@ pub mod util;
 pub mod chain;
 pub mod ln;
 pub mod routing;
+#[cfg(fuzzing)]
+pub mod onion_message;
+#[cfg(not(fuzzing))]
 #[allow(unused)]
 mod onion_message; // To be exposed after sending/receiving OMs is supported in PeerManager.
 

diff --git a/lightning/src/onion_message/messenger.rs b/lightning/src/onion_message/messenger.rs
@@ -248,7 +248,7 @@ impl<Signer: Sign, K: Deref, L: Deref> OnionMessenger<Signer, K, L>
 									sha.input(control_tlvs_ss.as_ref());
 									Sha256::from_engine(sha).into_inner()
 								};
-								let mut next_blinding_point = msg.blinding_point;
+								let next_blinding_point = msg.blinding_point;
 								match next_blinding_point.mul_tweak(&self.secp_ctx, &Scalar::from_be_bytes(blinding_factor).unwrap()) {
 									Ok(bp) => bp,
 									Err(e) => {
@@ -261,6 +261,7 @@ impl<Signer: Sign, K: Deref, L: Deref> OnionMessenger<Signer, K, L>
 						onion_routing_packet: outgoing_packet,
 					},
 				);
+				log_trace!(self.logger, "Forwarding an onion message to peer {}", next_node_id);
 			},
 			Err(e) => {
 				log_trace!(self.logger, "Errored decoding onion message packet: {:?}", e);

diff --git a/lightning/src/onion_message/packet.rs b/lightning/src/onion_message/packet.rs
@@ -69,7 +69,7 @@ impl LengthReadable for Packet {
 		let public_key = Readable::read(r)?;
 
 		let mut hop_data = Vec::new();
-		let hop_data_len = r.total_bytes() as usize - 66; // 1 (version) + 33 (pubkey) + 32 (HMAC) = 66
+		let hop_data_len = r.total_bytes().saturating_sub(66) as usize; // 1 (version) + 33 (pubkey) + 32 (HMAC) = 66
 		let mut read_idx = 0;
 		while read_idx < hop_data_len {
 			let mut read_buffer = [0; READ_BUFFER_SIZE];

diff --git a/lightning/src/util/chacha20poly1305rfc.rs b/lightning/src/util/chacha20poly1305rfc.rs
@@ -286,10 +286,10 @@ mod fuzzy_chachapoly {
 
 		pub(super) fn encrypt_in_place(&mut self, _input_output: &mut [u8]) {
 			assert!(self.finished == false);
-			self.finished = true;
 		}
 
 		pub(super) fn finish_and_get_tag(&mut self, out_tag: &mut [u8]) {
+			assert!(self.finished == false);
 			out_tag.copy_from_slice(&self.tag);
 			self.finished = true;
 		}