From d65f17f1b1eacb1208011571f8449f1801aa4895 Mon Sep 17 00:00:00 2001 From: nsa Date: Fri, 15 Sep 2017 13:04:46 -0400 Subject: [PATCH] fuzzing: fixed calculation of serializedSize() in features.go This commit fixes an incorrectly calculated size of a *FeatureVector in the serializedSize() function. go-fuzz found that when calling NewFeatureVectorFromReader, if a flag is invalid, it is not added to f.flags. However, it will skip the index that wasn't included. This becomes a problem when serializedSize() calculates the length of f.flags via len() which can lead to an index out of range since certain flags may be missing. --- lnwire/features.go | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/lnwire/features.go b/lnwire/features.go index e2be0426..726e622a 100644 --- a/lnwire/features.go +++ b/lnwire/features.go @@ -113,7 +113,19 @@ func (f *FeatureVector) SetFeatureFlag(name featureName, flag featureFlag) error // serializedSize returns the number of bytes which is needed to represent // feature vector in byte format. func (f *FeatureVector) serializedSize() uint16 { - return uint16(math.Ceil(float64(flagBitsSize*len(f.flags)) / 8)) + // Find the largest index in f.flags + max := -1 + for index := range f.flags { + if index > max { + max = index + } + } + if max == -1 { + return 0 + } + // We calculate length via the largest index in f.flags so as to not + // get an index out of bounds in Encode's setFlag function. + return uint16(math.Ceil(float64(flagBitsSize*(max+1)) / 8)) } // NewFeatureVectorFromReader decodes the feature vector from binary