bolt11: check return value of pull_all

Otherwise, if pull_all fails, we attempt to create a script from NULL, causing a UBSan report: bitcoin/script.c:29:28: runtime error: null pointer passed as argument 2, which is declared to never be null Corpus input bf703c2c20c0818af70a8c4caad6e6fd8cfd1ac6 triggers the UBSan report, but we didn't previously realize this because UBSan has been disabled in the CI run. We rename the input to indicate its usefulness as a permanent regression test.
epiccurious · Oct 17, 2023 · eeec529 · eeec529
1 parent 19c581c
commit eeec529
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/common/bolt11.c b/common/bolt11.c
@@ -390,6 +390,8 @@ static const char *decode_f(struct bolt11 *b11,
 		fallback = scriptpubkey_p2sh_hash(b11, shash);
 	} else if (version < 17) {
 		u8 *f = pull_all(tmpctx, hu5, data, field_len, false, &err);
+		if (!f)
+			return err;
 		if (version == 0) {
 			if (tal_count(f) != 20 && tal_count(f) != 32)
 				return tal_fmt(b11,

diff --git a/.../bf703c2c20c0818af70a8c4caad6e6fd8cfd1ac6 → ...-bf703c2c20c0818af70a8c4caad6e6fd8cfd1ac6 b/.../bf703c2c20c0818af70a8c4caad6e6fd8cfd1ac6 → ...-bf703c2c20c0818af70a8c4caad6e6fd8cfd1ac6