From 2b023be022002b2f039a80a35c87221875afc020 Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Mon, 30 Jun 2025 10:08:28 +0930 Subject: [PATCH] bolt11: don't accept wrong-length p, h, s or n fields. Spec got stricter. Signed-off-by: Rusty Russell --- Makefile | 2 +- common/bolt11.c | 33 +++++++++++++++++---------------- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/Makefile b/Makefile index 89d5dedc3..631978921 100644 --- a/Makefile +++ b/Makefile @@ -26,7 +26,7 @@ CCANDIR := ccan # Where we keep the BOLT RFCs BOLTDIR := ../bolts/ -DEFAULT_BOLTVERSION := 011bf84d74d130c2972becca97c87f297b9d4a92 +DEFAULT_BOLTVERSION := 68881992b97f20aca29edf7a4d673b8e6a70379a # Can be overridden on cmdline. BOLTVERSION := $(DEFAULT_BOLTVERSION) diff --git a/common/bolt11.c b/common/bolt11.c index 61da07898..f90bc978c 100644 --- a/common/bolt11.c +++ b/common/bolt11.c @@ -179,16 +179,15 @@ static const char *decode_p(struct bolt11 *b11, { /* BOLT #11: * - * A payer... SHOULD use the first `p` field that it did NOT - * skip as the payment hash. + * A payer... SHOULD use the first `p` field as the payment hash. */ assert(!*have_p); /* BOLT #11: * - * A reader... MUST skip over unknown fields, OR an `f` field - * with unknown `version`, OR `p`, `h`, `s` or `n` fields that do - * NOT have `data_length`s of 52, 52, 52 or 53, respectively. + * A reader... + * - MUST fail the payment if any mandatory field (`p`, `h`, `s`, `n`) + * does not have the correct length (52, 52, 52, 53). */ return pull_expected_length(b11, hu5, data, field_len, 52, 'p', have_p, &b11->payment_hash); @@ -240,9 +239,9 @@ static const char *decode_h(struct bolt11 *b11, assert(!*have_h); /* BOLT #11: * - * A reader... MUST skip over unknown fields, OR an `f` field - * with unknown `version`, OR `p`, `h`, `s` or `n` fields that do - * NOT have `data_length`s of 52, 52, 52 or 53, respectively. */ + * A reader... + * - MUST fail the payment if any mandatory field (`p`, `h`, `s`, `n`) + * does not have the correct length (52, 52, 52, 53). */ err = pull_expected_length(b11, hu5, data, field_len, 52, 'h', have_h, &hash); @@ -325,9 +324,9 @@ static const char *decode_n(struct bolt11 *b11, assert(!*have_n); /* BOLT #11: * - * A reader... MUST skip over unknown fields, OR an `f` field - * with unknown `version`, OR `p`, `h`, `s` or `n` fields that do - * NOT have `data_length`s of 52, 52, 52 or 53, respectively. */ + * A reader... + * - MUST fail the payment if any mandatory field (`p`, `h`, `s`, `n`) + * does not have the correct length (52, 52, 52, 53). */ err = pull_expected_length(b11, hu5, data, field_len, 53, 'n', have_n, &b11->receiver_id.k); @@ -361,9 +360,9 @@ static const char *decode_s(struct bolt11 *b11, /* BOLT #11: * - * A reader... MUST skip over unknown fields, OR an `f` field - * with unknown `version`, OR `p`, `h`, `s` or `n` fields that do - * NOT have `data_length`s of 52, 52, 52 or 53, respectively. */ + * A reader... + * - MUST fail the payment if any mandatory field (`p`, `h`, `s`, `n`) + * does not have the correct length (52, 52, 52, 53). */ err = pull_expected_length(b11, hu5, data, field_len, 52, 's', have_s, &secret); if (*have_s) @@ -443,6 +442,9 @@ static const char *decode_f(struct bolt11 *b11, fallback = scriptpubkey_witness_raw(b11, version, f, tal_count(f)); } else { + /* BOLT #11: + * - MUST skip over `f` fields that use an unknown `version`. + */ /* Restore version for unknown field! */ *data = orig_data; *field_len = orig_len; @@ -664,8 +666,7 @@ struct decoder { static const struct decoder decoders[] = { /* BOLT #11: * - * A payer... SHOULD use the first `p` field that it did NOT - * skip as the payment hash. + * A payer... SHOULD use the first `p` field as the payment hash. */ { 'p', false, decode_p }, { 'd', false, decode_d },