bolt11: avoid reading uninitialized memory

morehouse · rustyrussell · commit 440fe8cd7ce5 · 2023-10-15T12:39:44.000+10:30
If both databits and *data_len are 0, pull_uint returns unitialized
stack memory in *val.

Detected by valgrind and UBSan.

valgrind:
==225078== Use of uninitialised value of size 8
==225078==    __sanitizer_cov_trace_cmp8
==225078==    decode_c (bolt11.c:294)
==225078==    bolt11_decode_nosig (bolt11.c:881)
==225078==    bolt11_decode (bolt11.c:945)

UBSan:
common/bolt11.c:79:29: runtime error: shift exponent 64 is too large for 64-bit type 'uint64_t'
diff --git a/common/bolt11.c b/common/bolt11.c
@@ -76,7 +76,11 @@ static const char *pull_uint(struct hash_u5 *hu5,
 	err = pull_bits(hu5, data, data_len, &be_val, databits, true);
 	if (err)
 		return err;
-	*val = be64_to_cpu(be_val) >> (sizeof(be_val) * CHAR_BIT - databits);
+	if (databits == 0)
+		*val = 0;
+	else
+		*val = be64_to_cpu(be_val) >>
+		       (sizeof(be_val) * CHAR_BIT - databits);
 	return NULL;
 }
 
diff --git a/tests/fuzz/corpora/fuzz-bolt11-decode/crash-ad3693f6c454ce739ca67a4aff234cb3f3f598b5 b/tests/fuzz/corpora/fuzz-bolt11-decode/crash-ad3693f6c454ce739ca67a4aff234cb3f3f598b5
@@ -0,0 +1 @@
+lnltc1zzzzzAzcQQQQQZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZXZZZZZZZZZZZZZZZZZJZZZZZZZZZZzzzZZZZZZZZ

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+lnltc1zzzzzAzcQQQQQZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZXZZZZZZZZZZZZZZZZZJZZZZZZZZZZzzzZZZZZZZZ`