From d7319795b4f300a3dd25408afca940bea2aec88c Mon Sep 17 00:00:00 2001
From: Erick Cestari <erickcestari03@gmail.com>
Date: Tue, 8 Apr 2025 09:56:59 -0300
Subject: [PATCH] common/bolt11: enforce minimum witness program length for
 fallback addresses

BIP-141 specifies that a witness program must be between 2 and 40 bytes in
length. In our fallback address parsing, we were already checking the upper
bound, but missing the lower bound check. This commit adds validation to
ensure fallback address witness programs are at least 2 bytes long, bringing
our implementation in line with the spec and other implementations like
rust-lightning.

Changelog-Fixed: Enforced minimum witness program length of 2 bytes for
fallback addresses to comply with BIP-141 and prevent invalid decodings.
---
 common/bolt11.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/common/bolt11.c b/common/bolt11.c
index 956af7ea8..509b5a7d1 100644
--- a/common/bolt11.c
+++ b/common/bolt11.c
@@ -420,7 +420,7 @@ static const char *decode_f(struct bolt11 *b11,
 				       "f: witness v1 bad length %zu",
 				       tal_count(f));
 		}
-		if (tal_count(f) > 40) {
+		if (tal_count(f) > 40 || tal_count(f) < 2) {
 			return tal_fmt(b11,
 				       "f: witness v%"PRIu64" bad length %zu",
 				       version,