aljaz/lightning
1
0
Fork 0
mirror of https://github.com/aljazceru/lightning.git synced 2025-12-19 23:24:27 +01:00
Code Issues Packages Projects Releases Wiki Activity

gossip: Fix a memcmp with unset memory in broadcast queue

Browse Source 
`tal_fmt` overallocates the returned string under some circumstances,
meaning that the trailer of the formatted string is unset, but still
considered in `tal_len`. The solution then is to truncate the
formatted string to the real string length. Only necessary here, since
we mix strings and `tal_len`.

Signed-off-by: Christian Decker <decker.christian@gmail.com>
This commit is contained in:
Christian Decker
2018-01-11 14:57:00 +01:00
committed by Rusty Russell
parent 4fe83cd405
commit 3a42e52bcd
2 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
gossipd/broadcast.c
View File

@@ -1,3 +1,4 @@
#include <ccan/mem/mem.h>
#include <gossipd/broadcast.h> #include <gossipd/broadcast.h>
struct broadcast_state *new_broadcast_state(tal_t *ctx) struct broadcast_state *new_broadcast_state(tal_t *ctx)
@@ -16,8 +17,8 @@ static struct queued_message *new_queued_message(tal_t *ctx,
{ {
struct queued_message *msg = tal(ctx, struct queued_message); struct queued_message *msg = tal(ctx, struct queued_message);
msg->type = type; msg->type = type;
msg->tag = tal_dup_arr(msg, u8, tag, tal_count(tag), 0); msg->tag = tal_dup_arr(msg, u8, tag, tal_len(tag), 0);
msg->payload = tal_dup_arr(msg, u8, payload, tal_count(payload), 0); msg->payload = tal_dup_arr(msg, u8, payload, tal_len(payload), 0);
return msg; return msg;
} }
@@ -30,11 +31,13 @@ bool queue_broadcast(struct broadcast_state *bstate,
u64 index; u64 index;
bool evicted = false; bool evicted = false;
memcheck(tag, tal_len(tag));
/* Remove any tag&type collisions */ /* Remove any tag&type collisions */
for (msg = uintmap_first(&bstate->broadcasts, &index); for (msg = uintmap_first(&bstate->broadcasts, &index);
msg; msg;
msg = uintmap_after(&bstate->broadcasts, &index)) { msg = uintmap_after(&bstate->broadcasts, &index)) {
if (msg->type == type && memcmp(msg->tag, tag, tal_count(tag)) == 0) { if (msg->type == type && memcmp(msg->tag, tag, tal_len(tag)) == 0) {
uintmap_del(&bstate->broadcasts, index); uintmap_del(&bstate->broadcasts, index);
tal_free(msg); tal_free(msg);
evicted = true; evicted = true;

2
gossipd/routing.c
View File

@@ -554,6 +554,7 @@ const struct short_channel_id *handle_channel_announcement(
tag = type_to_string(pending, struct short_channel_id, tag = type_to_string(pending, struct short_channel_id,
&pending->short_channel_id); &pending->short_channel_id);
tal_resize(&tag, strlen(tag));
/* BOLT #7: /* BOLT #7:
* *
@@ -635,6 +636,7 @@ bool handle_pending_cannouncement(struct routing_state *rstate,
list_del_from(&rstate->pending_cannouncement, &pending->list); list_del_from(&rstate->pending_cannouncement, &pending->list);
tag = type_to_string(pending, struct short_channel_id, scid); tag = type_to_string(pending, struct short_channel_id, scid);
tal_resize(&tag, strlen(tag));
/* BOLT #7: /* BOLT #7:
* *