Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detect underflows in build_closing_transaction #3452

Merged
merged 2 commits into from
Dec 11, 2024

Conversation

arik-so
Copy link
Contributor

@arik-so arik-so commented Dec 9, 2024

In build_closing_transaction, we check that value_to_holder and value_to_counterparty, which are signed, are not lower than the dust limit. However, in doing this check, we convert them to signed integers, which could result in an underflow and a failed detection.

This scenario should not be reachable, but here we add debug_asserts to positive ensure that scenario isn't hit.

Addresses #3410.

In `build_closing_transaction`, we check that `value_to_holder` and
`value_to_counterparty`, which are signed, are not lower than the
dust limit. However, in doing this check, we convert them to signed
integers, which could result in an underflow and a failed detection.

This scenario should not be reachable, but here we add debug_asserts
to positive ensure that scenario isn't hit.
@@ -4368,10 +4368,12 @@ impl<SP: Deref> Channel<SP> where
total_fee_satoshis += (-value_to_counterparty) as u64;
}

debug_assert!(value_to_counterparty >= 0);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I mean panicing in debug is great, but we think its unreachable, we should have some code to handle it (FC the channel) in release builds as well.

@arik-so arik-so force-pushed the stop-disbursement-underflow branch from f8cf343 to 35f96e4 Compare December 9, 2024 22:10
Copy link

codecov bot commented Dec 9, 2024

Codecov Report

Attention: Patch coverage is 61.53846% with 5 lines in your changes missing coverage. Please review.

Project coverage is 89.68%. Comparing base (fe1cf69) to head (28fff28).
Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
lightning/src/ln/channel.rs 61.53% 3 Missing and 2 partials ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main    #3452      +/-   ##
==========================================
- Coverage   89.70%   89.68%   -0.02%     
==========================================
  Files         130      130              
  Lines      107422   107430       +8     
  Branches   107422   107430       +8     
==========================================
- Hits        96362    96351      -11     
- Misses       8669     8680      +11     
- Partials     2391     2399       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@arik-so
Copy link
Contributor Author

arik-so commented Dec 10, 2024

Hm, I ran rustfmt and it appears a bunch of whitespace changes crept in here. I'm happy to undo them all.

@arik-so arik-so force-pushed the stop-disbursement-underflow branch from 42becfe to 28fff28 Compare December 10, 2024 06:03
Following up on the previous commit, where we added debug_asserts
within `build_closing_transaction` to ensure neither
`value_to_holder` nor `value_to_counterparty` underflow, we now also
force-close the channel in the (presumably impossible) event that it
did happen.
@arik-so arik-so force-pushed the stop-disbursement-underflow branch from 28fff28 to a652980 Compare December 11, 2024 05:41
(closing_signed, signed_tx, shutdown_result)
}
Err(err) => {
let shutdown = self.context.force_shutdown(true, ClosureReason::ProcessingError {err: err.to_string()});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See: https://github.com/lightningdevkit/rust-lightning/blob/main/lightning/src/ln/channelmanager.rs#L3040-L3044

locked_close_channel mentions 2 things that need to happen in addition to calling force_shutdown, and they are being handled in convert_chan_phase_err.

Do we need to do something similar here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It gets handled by the call site:

locked_close_channel!(self, peer_state, context, shutdown_result);

Copy link
Collaborator

@TheBlueMatt TheBlueMatt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thought adding error handling would be simpler...honestly we could have just added a prod panic instead lo.

Copy link
Contributor

@G8XSU G8XSU left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm!

@arik-so
Copy link
Contributor Author

arik-so commented Dec 11, 2024

So sorry, but what does "lo" mean?

@TheBlueMatt
Copy link
Collaborator

"lol" with the last l missing :)

@TheBlueMatt TheBlueMatt merged commit 98a46ac into lightningdevkit:main Dec 11, 2024
18 of 19 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants