fuzz: three panics introduced by splice RBF (chanmon_consistency) #4502
Description
Running the chanmon_consistency fuzz target on main reveals three distinct panics. All three bisect to the splice RBF PR, starting at 5b6ba43 ("Add rbf_channel API for initiating splice RBF").
Crash 1: assert_action_timeout_awaiting_response failure
A HandleError event contains an ErrorAction that isn't the expected timeout disconnect warning.
assertion failed: matches!(action, msgs::ErrorAction::DisconnectPeerWithWarning { msg } if
msg.data.contains("Disconnecting due to timeout awaiting response"))
Repro (from fuzz/):
echo -ne '\xff\xa0\xa0\x3d\xff\xff\x80\xff\xff\xa2\xa0\xff\xab\xad\xff\x25' | RUSTFLAGS="--cfg=fuzzing --cfg=secp256k1_fuzz --cfg=hashes_fuzz" cargo run --features stdin_fuzz --bin chanmon_consistency_targetCrash 2: Stuck pending payments
After settling all channel state, a node still has unresolved pending payments.
Node 0 has 1 stuck pending payments after settling all state
Repro (from fuzz/):
echo -ne '\x70\xa4\x80\xff\xff\xa1\x27\xa4\xff\xff\xff\xff' | RUSTFLAGS="--cfg=fuzzing --cfg=secp256k1_fuzz --cfg=hashes_fuzz" cargo run --features stdin_fuzz --bin chanmon_consistency_targetCrash 3: unwrap() on None in splice handler
The fuzz target calls unwrap() on a channel lookup that returns None, likely because the channel was closed before the splice callback executed.
called `Option::unwrap()` on a `None` value
Repro (from fuzz/):
echo -ne '\x70\xa4\x27\x80\xff\xa4\x80\xff\xa4\xff\xff\xff\xa6\xab\xab\xab\xab\xab\xa4\xa6\xff\xff\xff\xff' | RUSTFLAGS="--cfg=fuzzing --cfg=secp256k1_fuzz --cfg=hashes_fuzz" cargo run --features stdin_fuzz --bin chanmon_consistency_targetMetadata
Metadata
Assignees
Labels
No labels