common/bolt11: enforce minimum witness program length for fallback addresses

erickcestari · rustyrussell · commit d7319795b4f3 · 2025-04-15T10:41:33.000+09:30
BIP-141 specifies that a witness program must be between 2 and 40 bytes in
length. In our fallback address parsing, we were already checking the upper
bound, but missing the lower bound check. This commit adds validation to
ensure fallback address witness programs are at least 2 bytes long, bringing
our implementation in line with the spec and other implementations like
rust-lightning.

Changelog-Fixed: Enforced minimum witness program length of 2 bytes for
fallback addresses to comply with BIP-141 and prevent invalid decodings.
diff --git a/common/bolt11.c b/common/bolt11.c
@@ -420,7 +420,7 @@ static const char *decode_f(struct bolt11 *b11,
 				       "f: witness v1 bad length %zu",
 				       tal_count(f));
 		}
-		if (tal_count(f) > 40) {
+		if (tal_count(f) > 40 || tal_count(f) < 2) {
 			return tal_fmt(b11,
 				       "f: witness v%"PRIu64" bad length %zu",
 				       version,

Original file line number	Diff line number	Diff line change
`@@ -420,7 +420,7 @@ static const char decode_f(struct bolt11 b11,`
`420`	`420`	`"f: witness v1 bad length %zu",`
`421`	`421`	`tal_count(f));`
`422`	`422`	`}`
`423`		`- if (tal_count(f) > 40) {`
	`423`	`+ if (tal_count(f) > 40 \|\| tal_count(f) < 2) {`
`424`	`424`	`return tal_fmt(b11,`
`425`	`425`	`"f: witness v%"PRIu64" bad length %zu",`
`426`	`426`	`version,`