Skip to content

Cut 0.2.3/dns-resolver 0.3.1/invoice 0.34.1/types 0.3.2#4723

Merged
TheBlueMatt merged 9 commits into
lightningdevkit:0.2from
TheBlueMatt:2026-06-0.2.3
Jun 19, 2026
Merged

Cut 0.2.3/dns-resolver 0.3.1/invoice 0.34.1/types 0.3.2#4723
TheBlueMatt merged 9 commits into
lightningdevkit:0.2from
TheBlueMatt:2026-06-0.2.3

Conversation

@TheBlueMatt

@TheBlueMatt TheBlueMatt commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

Based on #4722

tnull and others added 9 commits June 18, 2026 21:11
@tnull @TheBlueMatt
Use BOLT11 invoice payee keys for payment params
2a38c47 
Payment parameters should use the canonical payee key from BOLT11
invoices. When an invoice includes an n field, using that key avoids
attempting signature recovery that may legitimately be unavailable.

Co-Authored-By: HAL 9000

This finding was discovered by Project Loupe

Backport of 06393eb

Conflicts resolved in:
 * lightning/src/routing/router.rs
@tnull @TheBlueMatt
Handle overflowing route-hint fee aggregates
ec96755 
Crafted route hints can overflow aggregate downstream proportional fees
when the payer disables the routing fee cap. Treat such paths as
unusable so route finding fails cleanly instead of panicking.

Co-Authored-By: HAL 9000
Signed-off-by: Elias Rohrer <dev@tnull.de>

Backport of beffe75
@tnull @TheBlueMatt
Truncate logged peer message strings
60c09e0 
Counterparty-provided strings in network messages (Error, Warning,
TxAbort) were logged without length limits, allowing a malicious peer
to bloat log files. Some logging sites also lacked the same
sanitization used for other untrusted strings.

Add a `DebugMsg` struct and `log_msg!` macro that consistently
truncate messages to 512 characters while preserving `PrintableString`
sanitization. Replace all bare `msg.data` and ad hoc
`PrintableString(&msg.data)` usages at the 7 relevant logging sites
in `peer_handler.rs` and `channel.rs`.

Co-Authored-By: HAL 9000

Backport of e2f611e

Conflicts resolved in:
 * lightning/src/ln/peer_handler.rs
@TheBlueMatt
Reject RGS snapshots that leave our graph absurdly-sized
518125d 
If an RGS server sends snapshots that are absurdly-sized, they can
bloat a client's network graph, eventually leading to an OOM. While
we generally consider RGS servers to be semi-trusted (at least in
the sense that they can often simply not respond and leave a client
unable to find paths) we should still avoid allowing them to OOM a
client.

Thus, here, we naively start ignoring new channels from an RGS
server if they leave our graph 10x larger than we expect. This at
least avoids the OOM even if we end up not being able to make
payments.

Reported by Jordan Mecom of Block's Security Team

Backport of 7a89362

Conflicts resolved in:
 * lightning/src/routing/gossip.rs
@TheBlueMatt
Avoid over-allocating when reading corrupted lengths for HashMaps
70ccee1 
Luckily this was only used in `ChannelManager` and scorer
deserialization, though we anticipate occasionally fetching the
second from an only semi-trusted source.

Backport of 5b4626f
@TheBlueMatt
Fix string slicing in TXT record validation
ab2688d 
Rust's panicy string slicing behavior has always been a sharp edge
and here it finally caught up with us. Ensure we don't slice into
a string provided in an onion message until we're sure the index
is a character boundary.

Reported by Jordan Mecom of Block's Security Team

Backport of ae852b5
@TheBlueMatt
Get real rand in possiblyrandom on supported platforms w/o feat
c47d874 
It turns out that conditionally-enabling a dependency via `target`
in `Cargo.toml` does not enable the corresponding dependency
`feature` when compiling the code. As a result, only when building
`possiblyrandom` with an explicit `getrandom` feature did we ever
actually return random values.

This fixes this by matching the `target` cfg in `Cargo.toml` to the
cfg in `lib.rs`.

Reported by Project Loupe

Backport of b7c9935
@TheBlueMatt
Update 0.2.3 changelog entry for security issues
30533af
@TheBlueMatt
Bump to 0.2.3/dns-resolver 0.3.1/invoice 0.34.1/types 0.3.2
9ed8a8d
@ldk-reviews-bot

ldk-reviews-bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

I've assigned @jkczyz as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

@TheBlueMatt TheBlueMatt changed the base branch from main to 0.2 June 18, 2026 21:58
@ldk-claude-review-bot

ldk-claude-review-bot commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

No issues found.

I reviewed every file and hunk in this 0.2.3 security-release PR:

  • Version bumps (Cargo.toml × several) and CHANGELOG.md — trivial, correct.
  • lightning-invoice/src/lib.rsrecover_payee_pub_key now delegates to get_payee_pub_key, preferring the explicit payee key. The remaining expect is safe because the constructor's check_signature requires successful recovery when no explicit key is present.
  • lightning-rapid-gossip-sync/src/processing.rs — node/channel count caps are sound; the read lock is dropped before write operations (no deadlock); all per-announcement reads occur before the continue skip (no stream desync); arithmetic is u64-safe.
  • lightning/src/routing/router.rs — overflow now returns Err(idx+1), which is always in bounds (aggregation overflow requires ≥2 following hops); mark_candidate_liquidity_exhausted prevents re-selection loops.
  • lightning/src/onion_message/dns_resolution.rs — switching to byte-slice comparison correctly fixes the UTF-8 boundary panic for unicode-prefixed TXT records.
  • lightning/src/util/ser.rs — map pre-allocation cap is correct; cmp is imported; entry_size + 1 avoids div-by-zero for ZSTs.
  • lightning/src/util/macro_logger.rsDebugMsg truncates on a valid char boundary via char_indices().nth(); log_msg! is in scope crate-wide; &String/&Cow<str> deref-coerce to &str.
  • lightning/src/ln/{channel,peer_handler}.rs — log_msg! call sites are type-correct.
  • possiblyrandom/src/lib.rs — zero-fill-then-getrandom is correct across all cfg combinations.

All changes are consistent, the panic/overflow/DoS fixes are correct, and no new bugs or regressions were introduced.

@ldk-reviews-bot ldk-reviews-bot requested a review from jkczyz June 18, 2026 22:08
@TheBlueMatt TheBlueMatt merged commit a47dfbd into lightningdevkit:0.2 Jun 19, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkczyz jkczyz jkczyz approved these changes

@wpaulino wpaulino wpaulino approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@TheBlueMatt @ldk-reviews-bot @ldk-claude-review-bot @jkczyz @wpaulino @tnull