rpc: Fixed signed integer overflow for large feerates #29434

pull maflcko wants to merge 4 commits into bitcoin:master from maflcko:2402-rpc-UB- changing 4 files +27 −8
  1. maflcko commented at 4:36 pm on February 14, 2024: member

    Passing large BTC/kvB feerates to RPCs is problematic, because:

    • They are likely a typo. 1BTC/kvB (or larger) seems absurd.
    • They may cause signed integer overflow.
    • Anyone really wanting to pick such a large value can set 0 to disable the check.

    Fix all issues by rejecting anything more than 1BTC/kvB during parsing.

  2. rpc: Implement RPCHelpMan::ArgValue<> for UniValue fa0ff66109
  3. DrahtBot commented at 4:36 pm on February 14, 2024: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Code Coverage

    For detailed information about the code coverage, see the test coverage report.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK vasild, tdb3, brunoerg, fjahr, achow101
    Stale ACK BrandonOdiwuor

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #28950 (RPC: Add maxfeerate and maxburnamount args to submitpackage by instagibbs)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  4. DrahtBot added the label RPC/REST/ZMQ on Feb 14, 2024
  5. maflcko commented at 4:38 pm on February 14, 2024: member

    The following FUZZ=rpc should pass with this pull and crash on master:

     0c2VuZHJhd3RyYW5zYWN0aW9uXAEAAAAAHgBiu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
 1u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
 2u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
 3u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
 4u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
 5u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
 6u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
 7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
 8u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
 9u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
10u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7sBALu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
11u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
12u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
13u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
14u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
15u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
16u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7EgAA
17AAAAAAC7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
18u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
19u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
20u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
21u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
22u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u2dl
23dGNvbm5lY3Rpb25jb3VudLu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
24u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
25u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
26u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
27u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
28u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
29u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
30u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
31u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
32u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
33u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7AAAAAAAAABK7u7u7u7u7
34u7u7u0S7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
35u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
36u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
37u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
38u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
39u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
40u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7uzhVbmlWYWx1Zbu7
41u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7v+/////////7u7u7u7u7u7u7u7u7u7
42u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
43u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
44u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
45u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
46u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7OFVu
47aVZhbHVlu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
48u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7sA8P///wAAAAAAAAAA
49AAAAOgABAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAHAAAAAAAAAAAAAAAA
50AAAAAAAAAAAAAAAAAAF0ZQAAWwAAALu7u7u7u7u7u7u7u7u7uzhVbmlWYWx1Zbu7u7u7u7u7u7u7
51u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
52u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
53u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
54u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
55u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
56u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7OFVuaVZhbHVl
57u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
58u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
59u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7uzhVbmlWYWx1Zbu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
60u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
61u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
62APD///8AAAAAAAAAAAAAADoAAQAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAA
63BwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABdGUAAFsAAAC7u7u7u7u7u7u7u7u7u7s4VW5pVmFs
64dWW7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
65u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
66u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
67u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
68u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
69u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
70u7u7uzhVbmlWYWx1Zbu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
71u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
72u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7uwDw////AAAAAAAAAAAAAAA6AAEAAAAA
73AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
74AAAAAXRlAABbAAAAAAAA////HHNkYbu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
75u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
76u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
77u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
78u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7uzhVbmlWYWx1Zbu7
79u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
80u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7
81u7u7u7u7u7u7u7u7u7u7u7u7uwDw////AAAAAAAAAAAAAAA6AAEAAAAAAAABAAAAAAAAAAAAAAAA
82AAAAAAAAAAAAAAAAAQAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABdGUAAFsAAAAAAABuAAAA
83czD8XAAAdCsBAAAAgPWNkXN0KWFraWRh
  6. in src/rpc/util.h:110 in fa19cf33f9 outdated 
    102@@ -103,6 +103,11 @@ std::vector<unsigned char> ParseHexO(const UniValue& o, std::string_view strKey)
103  * @returns a CAmount if the various checks pass.
104  */
105 CAmount AmountFromValue(const UniValue& value, int decimals = 8);
106+/**
107+ * Parse a json number or string into a rate of BTC/kvB.
108+ * Reject negative values or rates larger than 1BTC/kvB.
109+ */
110+CFeeRate ParseFeeRate(const UniValue& json);
    vasild commented at 8:44 am on February 15, 2024:

    That is a bit confusing - the input is in BTC/kvB and the output is in sat/kvB. Maybe elaborate more:

    0/**
1 * Parse a json number or string into a fee rate. The input is interpreted as a number
2 * in BTC/kvB while the output is in sat/kvB.
3 * For example ParseFeeRate("1").GetFeePerK() == 100'000'000
4 * Reject negative values or rates larger than 1BTC/kvB.
5 */
6CFeeRate ParseFeeRate(const UniValue& json);
    maflcko commented at 9:56 am on February 15, 2024:
    Thanks, I pushed something.
  7. in src/rpc/mempool.cpp:84 in fa19cf33f9 outdated 
    80@@ -81,9 +81,7 @@ static RPCHelpMan sendrawtransaction()
81 
82             CTransactionRef tx(MakeTransactionRef(std::move(mtx)));
83 
84-            const CFeeRate max_raw_tx_fee_rate = request.params[1].isNull() ?
85-                                                     DEFAULT_MAX_RAW_TX_FEE_RATE :
86-                                                     CFeeRate(AmountFromValue(request.params[1]));
87+            const CFeeRate max_raw_tx_fee_rate{ParseFeeRate(self.Arg<UniValue>(1))};
    vasild commented at 9:09 am on February 15, 2024:

    It is nice that DEFAULT_MAX_RAW_TX_FEE_RATE is now deduplicated and is only mentioned once at the parameter definition:

    0{"maxfeerate", RPCArg::Type::AMOUNT, RPCArg::Default{FormatMoney(DEFAULT_MAX_RAW_TX_FEE_RATE.GetFeePerK())}
    maflcko commented at 9:43 am on February 15, 2024:
    Yes, this is a nice side-effect of the changes here, due to using self.Arg().
  8. in src/rpc/mempool.cpp:163 in fa19cf33f9 outdated 
    159@@ -162,9 +160,7 @@ static RPCHelpMan testmempoolaccept()
160                                    "Array must contain between 1 and " + ToString(MAX_PACKAGE_COUNT) + " transactions.");
161             }
162 
163-            const CFeeRate max_raw_tx_fee_rate = request.params[1].isNull() ?
164-                                                     DEFAULT_MAX_RAW_TX_FEE_RATE :
165-                                                     CFeeRate(AmountFromValue(request.params[1]));
166+            const CFeeRate max_raw_tx_fee_rate{ParseFeeRate(self.Arg<UniValue>(1))};
    vasild commented at 9:27 am on February 15, 2024:

    What is the integer overflow?

    This passes on master @ 7143d4388407ab3d12005e55a02d5e8f334e4dc9:

     0$ echo "c2VuZHJhd3RyYW5zYWN0aW9uXAEAAAAAHgBiu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7sBALu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7EgAAAAAAAAC7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u2dldGNvbm5lY3Rpb25jb3VudLu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7AAAAAAAAABK7u7u7u7u7u7u7u0S7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7uzhVbmlWYWx1Zbu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7v+/////////7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7OFVuaVZhbHVlu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7sA8P///wAAAAAAAAAAAAAAOgABAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF0ZQAAWwAAALu7u7u7u7u7u7u7u7u7uzhVbmlWYWx1Zbu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7uu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7uu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7OFVuaVZhbHVlu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7uzhVbmlWYWx1Zbu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7APD///8AAAAAAAAAAAAAADoAAQAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABdGUAAFsAAAC7u7u7u7u7u7u7u7u7u7s4VW5pVmFsdWW7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7uzhVbmlWYWx1Zbu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7uwDw////AAAAAAAAAAAAAAA6AAEAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAcAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAXRlAABbAAAAAAAA////HHNkYbu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7uzhVbmlWYWx1Zbu7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7u7uwDw////AAAAAAAAAAAAAAA6AAEAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABdGUAAFsAAAAAAABuAAAAczD8XAAAdCsBAAAAgPWNkXN0KWFraWRh" |base64 -d > /tmp/fuzzraw
 1
 2$ sha256 /tmp/fuzzraw 
 3SHA256 (/tmp/fuzzraw) = c96713d51f04497c88ef60029bbe41024cda526dd39801c5994c114f66dfa9bd
 4
 5$ FUZZ=rpc ./src/test/fuzz/fuzz /tmp/fuzzraw 
 6INFO: Running with entropic power schedule (0xFF, 100).
 7INFO: Seed: 1616231335
 8INFO: Loaded 1 modules   (1269543 inline 8-bit counters): 1269543 [0x258a892cff18, 0x258a89405e3f), 
 9INFO: Loaded 1 PC tables (1269543 PCs): 1269543 [0x258a89405e40,0x258a8a7650b0), 
10./src/test/fuzz/fuzz: Running 1 inputs 1 time(s) each.
11Running: /tmp/fuzzraw
12Executed /tmp/fuzzraw in 0 ms
13***
14*** NOTE: fuzzing was not performed, you have only
15***       executed the target code on a fixed set of inputs.
16***
17$
    maflcko commented at 9:49 am on February 15, 2024:

    What is the integer overflow?

    You will have to correctly copy-paste the full base64 input. Mutating the base64 inputs may result in a different fuzz input, which will trigger a different code path. Or it may be invalid base64. On your base64, I get:

    0base64: invalid input

    To double check, if you correctly copy-paste the full input, you should get:

     0$ sha1sum /tmp/b
 16ef1eadaa3a1ad54365358b1ceb677bd1632396c  /tmp/b
 2$ sha256sum /tmp/b
 3fa82e44660796a5196cfb05483cae34356e9a2c55aab79d59161c887d5f23b37  /tmp/b
 4$ FUZZ=rpc UBSAN_OPTIONS="suppressions=$(pwd)/test/sanitizer_suppressions/ubsan:print_stacktrace=1:halt_on_error=1:report_error_type=1" ./src/test/fuzz/fuzz /tmp/b 
 5
 6Executed /tmp/b in 3 ms
 7
 8or
 9
10policy/feerate.cpp:29:63: runtime error: signed integer overflow: 1962496000000000 * 4714 cannot be represented in type 'int64_t' (aka 'long')
    vasild commented at 3:15 pm on February 16, 2024:
    I can reproduce now, my bad probably removing the newlines from the base64 input (even though my base64 tool succeeds in decoding that).
  9. vasild approved
  10. vasild commented at 9:40 am on February 15, 2024: contributor
    ACK fa19cf33f9dcfd3ccaa8012d09875fa939c02365
  11. rpc: Add ParseFeeRate helper fade94d11a
  12. rpc: Fixed signed integer overflow for large feerates fa2a4fdef7
  13. maflcko force-pushed on Feb 15, 2024
  14. in test/functional/mempool_accept.py:94 in fa2a4fdef7 outdated 
    89@@ -90,9 +90,17 @@ def run_test(self):
90         txid_in_block = self.wallet.sendrawtransaction(from_node=node, tx_hex=raw_tx_in_block)
91         self.generate(node, 1)
92         self.mempool_size = 0
93+        # Also check feerate. 1BTC/kvB fails
94+        assert_raises_rpc_error(-8, "Fee rates larger than or equal to 1BTC/kvB are not accepted", lambda: self.check_mempool_result(
    brunoerg commented at 2:35 pm on February 15, 2024:
    nit (fa2a4fdef779b01e847def5985deafedc6dd3da8): We could test negative values as well.
    maflcko commented at 2:37 pm on February 15, 2024:
    This is unrelated to this pull request, so I am happy to review another pull that adds this check.
    kevkevinpal commented at 3:18 am on February 21, 2024:
    Created a PR to cover this https://github.com/bitcoin/bitcoin/pull/29459
  15. brunoerg commented at 2:35 pm on February 15, 2024: contributor
    light crACK fa2a4fdef779b01e847def5985deafedc6dd3da8
  16. DrahtBot requested review from vasild on Feb 15, 2024
  17. BrandonOdiwuor approved
  18. BrandonOdiwuor commented at 2:53 pm on February 15, 2024: contributor
    Code Review ACK fa2a4fdef779b01e847def5985deafedc6dd3da8
  19. maflcko commented at 4:32 pm on February 15, 2024: member
    Pushed a commit to clarify the docs while touching the code here.
  20. doc: Clarify maxfeerate help dddd7be9bf
  21. maflcko force-pushed on Feb 15, 2024
  22. vasild approved
  23. vasild commented at 3:26 pm on February 16, 2024: contributor
    ACK dddd7be9bf038c25f3e53c5bd708fb9cf73d4493
  24. DrahtBot requested review from BrandonOdiwuor on Feb 16, 2024
  25. DrahtBot requested review from brunoerg on Feb 16, 2024
  26. tdb3 commented at 3:55 pm on February 16, 2024: contributor

    Good work on the find and fix.
    Seems to work well. Code review ACK and basic test ACK for dddd7be9bf038c25f3e53c5bd708fb9cf73d4493.

    Test actions taken: Checked out PR branch, built, ran all unit and functional tests (all passed). As a basic sanity check, created a regtest transaction with high fee rate (> 1 BTC/kvB) and executed testmempoolaccept/sendrawtransaction on both the PR branch and v26.0. v26.0 allows and PR code rejects with expected error -8.

    v26.0:

     0$ bitcoin-cli -regtest testmempoolaccept '["020000000001013fbb09530d97bda4b685b49eb6203acf448a1e453d46731564bf7462282efcb80000000000fdffffff018052302901000000160014c5dd9411b1556a3e13de5e8ba902b3eb3430f19f02473044022054dde0cb3af2efca3847198fc4efc2dcfcef8e4418acefadc0b9ad13287202ad022020798884fbd4e83eac220e4b9ebac339ce6caa15eb86b8e5c5e47f9a9de2f1440121023fb60e94d35f553058d4a5c6b466a5e97910f46d3a8a9f758a813becf15e0ee100000000"]' 2
 1[
 2  {
 3    "txid": "49d886fb41a4e7a079d33bc9b0bf7018e9cb2217e90e924e3dd7d1817cf63b64",
 4    "wtxid": "ab97ee97f595c13f89e6f03f3ed2c3b0ccaf5e75269f87b6a22b19436e43f654",
 5    "allowed": true,
 6    "vsize": 110,
 7    "fees": {
 8      "base": 0.14000000,
 9      "effective-feerate": 1.27272727,
10      "effective-includes": [
11        "ab97ee97f595c13f89e6f03f3ed2c3b0ccaf5e75269f87b6a22b19436e43f654"
12      ]
13    }
14  }
15]
16
17$ bitcoin-cli -regtest sendrawtransaction 020000000001013fbb09530d97bda4b685b49eb6203acf448a1e453d46731564bf7462282efcb80000000000fdffffff018052302901000000160014c5dd9411b1556a3e13de5e8ba902b3eb3430f19f02473044022054dde0cb3af2efca3847198fc4efc2dcfcef8e4418acefadc0b9ad13287202ad022020798884fbd4e83eac220e4b9ebac339ce6caa15eb86b8e5c5e47f9a9de2f1440121023fb60e94d35f553058d4a5c6b466a5e97910f46d3a8a9f758a813becf15e0ee100000000 2
1849d886fb41a4e7a079d33bc9b0bf7018e9cb2217e90e924e3dd7d1817cf63b64

    PR 29434 commit dddd7be9bf038c25f3e53c5bd708fb9cf73d4493:

    0$ bitcoin-cli -regtest testmempoolaccept '["020000000001013fbb09530d97bda4b685b49eb6203acf448a1e453d46731564bf7462282efcb80000000000fdffffff018052302901000000160014c5dd9411b1556a3e13de5e8ba902b3eb3430f19f02473044022054dde0cb3af2efca3847198fc4efc2dcfcef8e4418acefadc0b9ad13287202ad022020798884fbd4e83eac220e4b9ebac339ce6caa15eb86b8e5c5e47f9a9de2f1440121023fb60e94d35f553058d4a5c6b466a5e97910f46d3a8a9f758a813becf15e0ee100000000"]' 2
1error code: -8
2error message:
3Fee rates larger than or equal to 1BTC/kvB are not accepted
4
5$ bitcoin-cli -regtest sendrawtransaction 020000000001013fbb09530d97bda4b685b49eb6203acf448a1e453d46731564bf7462282efcb80000000000fdffffff018052302901000000160014c5dd9411b1556a3e13de5e8ba902b3eb3430f19f02473044022054dde0cb3af2efca3847198fc4efc2dcfcef8e4418acefadc0b9ad13287202ad022020798884fbd4e83eac220e4b9ebac339ce6caa15eb86b8e5c5e47f9a9de2f1440121023fb60e94d35f553058d4a5c6b466a5e97910f46d3a8a9f758a813becf15e0ee100000000 2
6error code: -8
7error message:
8Fee rates larger than or equal to 1BTC/kvB are not accepted
  27. DrahtBot removed review request from BrandonOdiwuor on Feb 16, 2024
  28. DrahtBot requested review from BrandonOdiwuor on Feb 16, 2024
  29. brunoerg commented at 9:45 pm on February 16, 2024: contributor
    crACK dddd7be9bf038c25f3e53c5bd708fb9cf73d4493
  30. DrahtBot removed review request from brunoerg on Feb 16, 2024
  31. DrahtBot removed review request from BrandonOdiwuor on Feb 16, 2024
  32. DrahtBot requested review from BrandonOdiwuor on Feb 16, 2024
  33. in src/rpc/util.cpp:78 in dddd7be9bf 
    74@@ -75,6 +75,13 @@ CAmount AmountFromValue(const UniValue& value, int decimals)
75     return amount;
76 }
77 
78+CFeeRate ParseFeeRate(const UniValue& json)
    fjahr commented at 4:41 pm on February 18, 2024:
    nit: Would have named it ParseReasonableFeeRate or ParseLimitedFeeRate to make clear it’s doing more than just parsing.
    fjahr commented at 4:43 pm on February 18, 2024:
    Alternatively could have made the limit a parameter, because that also makes it clearer.
    maflcko commented at 9:42 am on February 19, 2024:
    Sure, may do if I re-touch.
  34. fjahr commented at 4:50 pm on February 18, 2024: contributor
    utACK dddd7be9bf038c25f3e53c5bd708fb9cf73d4493
  35. DrahtBot removed review request from BrandonOdiwuor on Feb 18, 2024
  36. DrahtBot requested review from BrandonOdiwuor on Feb 18, 2024
  37. DrahtBot removed review request from BrandonOdiwuor on Feb 18, 2024
  38. DrahtBot requested review from BrandonOdiwuor on Feb 18, 2024
  39. DrahtBot removed review request from BrandonOdiwuor on Feb 19, 2024
  40. DrahtBot requested review from BrandonOdiwuor on Feb 19, 2024
  41. fanquake assigned achow101 on Feb 19, 2024
  42. achow101 commented at 6:07 pm on February 19, 2024: member
    ACK dddd7be9bf038c25f3e53c5bd708fb9cf73d4493
  43. DrahtBot removed review request from BrandonOdiwuor on Feb 19, 2024
  44. DrahtBot requested review from BrandonOdiwuor on Feb 19, 2024
  45. achow101 merged this on Feb 19, 2024
  46. achow101 closed this on Feb 19, 2024
  47. maflcko deleted the branch on Feb 20, 2024
  48. luke-jr referenced this in commit c46bd008ae on Mar 10, 2024
  49. luke-jr referenced this in commit ea064f73bb on Mar 10, 2024
  50. luke-jr referenced this in commit 2d35cc3995 on Mar 10, 2024
  51. luke-jr referenced this in commit 1d9d47c497 on Mar 10, 2024
  52. mzumsande commented at 2:58 am on April 19, 2024: contributor
    Looks like this has uncovered a bug in btcd affecting lnd, see https://twitter.com/roasbeef/status/1781086945986404559.
  53. maflcko commented at 8:39 am on April 19, 2024: member

    a bug in btcd

    I presume the bug was fixed in https://github.com/btcsuite/btcd/pull/2142

    I wonder why this wasn’t found earlier in btcd, because if signed integer overflow happened, it could have resulted in rejected transactions as well (or anything else, since it is undefined behavior).

    A possible explanation could be that no one sent a large enough transaction, or set a large enough maxfeerate to trigger the UB, or maybe someone did run into it and then re-tried with different values until it passed, and didn’t think it would be a bug.

    It could be interesting to explore ways how to detect bugs in downstream projects faster. One example could be for downstream projects to have one CI task dedicated to testing the Bitcoin Core master development branch, instead of waiting for the rc1 of the next release.


maflcko DrahtBot vasild brunoerg kevkevinpal BrandonOdiwuor tdb3 fjahr achow101 mzumsande


BrandonOdiwuor

Labels
RPC/REST/ZMQ

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-09-28 22:12 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me