[v0.21.x-branch] Backport #10914: discovery: fix panic in DNS fallback SRV lookup#10922
[v0.21.x-branch] Backport #10914: discovery: fix panic in DNS fallback SRV lookup#10922github-actions[bot] wants to merge 2 commits into
Conversation
The fallback SRV lookup type-asserted each DNS Answer record to *dns.SRV unconditionally. If the response contains a non-SRV record (e.g. an A or CNAME), the type assertion panics and crashes the daemon. Use the comma-ok form to skip non-SRV records instead. Also guard against an empty LookupHost result for the shim, which would otherwise panic on an out-of-bounds index into addrs. This is safe to discuss and fix in public. The bug is very unlikely to be exploitable: triggering it requires either a DNS seeder to serve a malformed response, or an on-path MITM injecting one (the fallback response is unauthenticated). A malicious seeder already has far more direct ways to disrupt a node, and a MITM attack is hard to mount, so the panic does not meaningfully widen the attack surface. (cherry picked from commit 2a3642c)
|
Please cherry-pick the changes locally and resolve any conflicts. git fetch origin backport-10914-to-v0.21.x-branch
git worktree add --checkout .worktree/backport-10914-to-v0.21.x-branch backport-10914-to-v0.21.x-branch
cd .worktree/backport-10914-to-v0.21.x-branch
git reset --hard HEAD^
git cherry-pick -x 2ee49698afa74373fa51acc61edd5620cb623f61
git push --force-with-lease |
modified: to update the release notes at 0.21.1
erickcestari
force-pushed
the
backport-10914-to-v0.21.x-branch
branch
from
3dbead5 to
90eb73c
Compare
github-actions
Bot
added
the
severity-high
PR Severity: HIGHdiscovery/* (gossip protocol) | 2 files | 46 lines changed (excluding tests) High severity files (1):
Low severity files (1):
AnalysisThis PR modifies discovery/bootstrapper.go, which falls under the discovery/* package (Gossip protocol) - classified as HIGH severity. The change has 35 additions and 5 deletions in the production source file, with 217 lines added in the accompanying test file (discovery/bootstrapper_test.go). Severity bump checks (applied to non-test, non-generated files only):
The accompanying test coverage for the bootstrapper changes is a positive indicator. A knowledgeable engineer familiar with the gossip/discovery subsystem should review the bootstrapper logic changes carefully, as this component handles initial peer discovery for the Lightning Network. To override, add a severity-override-{critical,high,medium,low} label. |
1 participant
Backport of #10914
The fallback SRV lookup type-asserted each DNS Answer record to
*dns.SRVunconditionally. If the response contains a non-SRV record (e.g. an A or
CNAME), the type assertion panics and crashes the daemon. Use the
comma-ok form to skip non-SRV records instead.
Also guard against an empty
LookupHostresult for the shim, which wouldotherwise panic on an out-of-bounds index into addrs.
This is safe to discuss and fix in public. The bug is very unlikely to be
exploitable: triggering it requires either a DNS seeder to serve a
malformed response, or an on-path MITM injecting one (the fallback
response is unauthenticated). A malicious seeder already has far more
direct ways to disrupt a node, and a MITM attack is hard to mount, so the
panic does not meaningfully widen the attack surface.