fuzzing: fixed calculation of serializedSize() in features.go

This commit fixes an incorrectly calculated size of a *FeatureVector in the serializedSize() function. go-fuzz found that when calling NewFeatureVectorFromReader, if a flag is invalid, it is not added to f.flags. However, it will skip the index that wasn't included. This becomes a problem when serializedSize() calculates the length of f.flags via len() which can lead to an index out of range since certain flags may be missing.
2017-09-15 13:04:46 -04:00 · 2017-09-15 13:04:46 -04:00 · d65f17f1b1
parent 7662ea5d4d
commit d65f17f1b1
1 changed files with 13 additions and 1 deletions
--- a/lnwire/features.go
+++ b/lnwire/features.go
@ -113,7 +113,19 @@ func (f *FeatureVector) SetFeatureFlag(name featureName, flag featureFlag) error
 // serializedSize returns the number of bytes which is needed to represent
 // feature vector in byte format.
 func (f *FeatureVector) serializedSize() uint16 {
-	return uint16(math.Ceil(float64(flagBitsSize*len(f.flags)) / 8))
+	// Find the largest index in f.flags
+	max := -1
+	for index := range f.flags {
+		if index > max {
+			max = index
+		}
+	}
+	if max == -1 {
+		return 0
+	}
+	// We calculate length via the largest index in f.flags so as to not
+	// get an index out of bounds in Encode's setFlag function.
+	return uint16(math.Ceil(float64(flagBitsSize*(max+1)) / 8))
 }

 // NewFeatureVectorFromReader decodes the feature vector from binary