psbt: extra data after PSBT

brunoerg / bitcoinfuzz

Differential Fuzzing of Bitcoin implementations and libraries

28 stars 11 forks source link

psbt: extra data after PSBT #43

Open brunoerg opened 2 weeks ago

brunoerg commented 2 weeks ago

Just got a crash in psbt target, Bitcoin Core fails due to extra data after PSBT while rust-bitcoin seems not checking it.

Base64: cHNidP8BAAr///8AAAAAAAAAAD0Acw==

brunoerg commented 1 week ago

btcd also doesn't check. API mismatch.

apoelstra commented 1 week ago

Yep, you can see that https://docs.rs/bitcoin/0.32.0/src/bitcoin/psbt/mod.rs.html#1197-1200 (a) calls Psbt::deserialize rather than encode::deserialize (PSBT has its own serialization module which does not have any no-trailing-data-checks) and (b) does not do any additional checks.

Definitely from_str should have a max length check. Doesn't look like we have any from_slice type method but if we do then it should also do a check.

brunoerg commented 1 week ago

Definitely from_str should have a max length check. Doesn't look like we have any from_slice type method but if we do then it should also do a check.

Should we open an issue in rust-bitcoin repo to facilitate tracking this?

apoelstra commented 1 week ago

Yes, please do!