bitcoin-tx: Stricter check for valid integers #13603

pull domob1812 wants to merge 1 commits into bitcoin:master from domob1812:bitcointx changing 2 files +75 −22
  1. domob1812 commented at 2:01 PM on July 6, 2018: contributor

    Just calling atoi to convert strings to integers does not check for valid integers very thoroughly; in particular, it just ignores everything starting from the first non-numeral character. Even a string like "foo" is fine and silently returns 0.

    This meant that bitcoin-tx would not fail if such a string was passed in various places where an integer is expected (like the locktime or an input/output index); this means that it would, for instance, silently accept a typo and interpret it in an unexpected way.

    In this change, we use ParseInt64 for parsing strings to integers, which actually verifies that the full string is valid as number. New tests in the bitcoin-util-test cover the new error paths.

    This fixes #13599.

  2. jgarzik commented at 2:58 PM on July 6, 2018: contributor

    Just use ParseInt64 ?

  3. domob1812 force-pushed on Jul 6, 2018
  4. domob1812 commented at 4:02 PM on July 6, 2018: contributor

    Makes sense, wasn't aware that ParseInt64 exists. I still keep that ParseInteger function, though, because it handles the error check. Otherwise all places where it is used would be more verbose and the code would be less readable (IMHO) - but if you prefer to not have this function at all, I can also do that.

  5. domob1812 force-pushed on Jul 6, 2018
  6. jgarzik commented at 4:31 PM on July 6, 2018: contributor

    In most cases here, the error check tends to duplicate another error check at the callsite.

    It is also a bit disappointing that the error message returned to the user regresses from the specific ("invalid TX version") to less specific ("invalid integer").

  7. in src/bitcoin-tx.cpp:225 in 205bf23ac1 outdated 
     220 | @@ -212,7 +221,7 @@ static void MutateTxLocktime(CMutableTransaction& tx, const std::string& cmdVal)
 221 |  static void MutateTxRBFOptIn(CMutableTransaction& tx, const std::string& strInIdx)
 222 |  {
 223 |      // parse requested index
 224 | -    int inIdx = atoi(strInIdx);
 225 | +    const int64_t inIdx = ParseInteger(strInIdx);
 226 |      if (inIdx < 0 || inIdx >= (int)tx.vin.size()) {
    Empact commented at 9:00 PM on July 6, 2018:

    This cast and others should be updated.

  8. Empact commented at 10:05 PM on July 6, 2018: member

    Agree using ParseInt64 directly to retain the current error message would be nicer, particularly if all errors included the invalid string, rather than just half of them.

  9. bitcoin-tx: Stricter check for valid integers
    Just calling atoi to convert strings to integers does not check for
valid integers very thoroughly; in particular, it just ignores
everything starting from the first non-numeral character.  Even a string
like "foo" is fine and silently returns 0.

This meant that bitcoin-tx would not fail if such a string was passed in
various places where an integer is expected (like the locktime or an
input/output index); this means that it would, for instance, silently
accept a typo and interpret it in an unexpected way.

In this change, we use ParseInt64 for parsing strings to integers,
which actually verifies that the full string is valid as number.
New tests in the bitcoin-util-test cover the new error paths.
    57889e688d
  10. domob1812 force-pushed on Jul 7, 2018
  11. domob1812 commented at 12:28 PM on July 7, 2018: contributor

    It is a good point that the callers have already existing (although different) error checks - with this in mind, I agree that using ParseInt64 directly is good. I've updated the patch accordingly. Now all error messages are specific as to which value it is and what is the exact invalid string - this improves also some existing error messages that previously did not show the invalid value.

  12. jgarzik commented at 12:39 PM on July 7, 2018: contributor

    LGTM - original-author ACK, though more active devs may have other comments

    I'll note that the temporary variables are now only conditionally initialized, not unconditionally initialized. Should be OK as we unconditionally throw in the uninitialized-var case, but it's something to double-check.

  13. MarcoFalke added the label Utils/log/libs on Jul 8, 2018
  14. MarcoFalke commented at 7:48 AM on July 8, 2018: member

    utACK 57889e688dd0987a1e087cd48d216a413127601e

  15. laanwj commented at 6:03 PM on July 9, 2018: member

    utACK 57889e688dd0987a1e087cd48d216a413127601e The conditional initialization looks OK to me, it will never pass the point of initialization in the control flow in case of leaving the value uninitialized.

  16. laanwj merged this on Jul 9, 2018
  17. laanwj closed this on Jul 9, 2018
  18. laanwj referenced this in commit 453ae5ec9f on Jul 9, 2018
  19. domob1812 deleted the branch on Jul 10, 2018
  20. domob1812 referenced this in commit 409ba9a919 on Jul 16, 2018
  21. jasonbcox referenced this in commit b93c6e6b27 on Dec 20, 2019
  22. jonspock referenced this in commit eb0d56b32d on Oct 2, 2020
  23. jonspock referenced this in commit 7b95afd63c on Oct 5, 2020
  24. jonspock referenced this in commit e29b8512ea on Oct 10, 2020
  25. PastaPastaPasta referenced this in commit 7776fd8937 on Dec 16, 2020
  26. PastaPastaPasta referenced this in commit 77b67d10e7 on Dec 18, 2020
  27. PastaPastaPasta referenced this in commit 44c7301288 on Dec 18, 2020
  28. MarcoFalke locked this on Sep 8, 2021
Contributors
domob1812jgarzikEmpactMarcoFalkelaanwj
Labels
Utils/log/libs
Linked (view graph)
#13599 bitcoin-tx accepts non-numeral input/output indices
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 15:15 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me