Prevent receiver panic paths#1704
Draft
spacebear21 wants to merge 1 commit into
Draft
Conversation
Reject sender additional fee indexes that do not refer to an original PSBT output before fee adjustment. Validate replay event payloads before reconstructing receiver states. Malformed logs now return replay errors instead of creating invalid change outputs.
Collaborator
Coverage Report for CI Build 28559937547Coverage increased (+0.06%) to 85.805%Details
Uncovered Changes
Coverage RegressionsNo coverage regressions found. Coverage Stats
💛 - Coveralls |
Member
|
concept ACK on fixing the index getting, not this particular code tho |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This addresses the panic items from the 1.0 API audit before the 1.0 freeze. The crate advertises panic-free error handling, so network-supplied receiver inputs and persisted replay logs should fail through normal error paths instead of being able to abort the process.
This fixes the sender-controlled
additionalfeeoutputindexpath by rejecting indexes that do not refer to an original PSBT output before fee adjustment, with a checked lookup in the shared fee code as defense in depth.It also fixes malformed v2 replay logs by returning an invalid event payload replay error when
IdentifiedReceiverOutputsis empty or out of range, or whenCommittedOutputsno longer contains the receiver change output.Disclosure: co-authored by Codex