Merge bitcoin#20372: Avoid signed integer overflow when loading a mempool.dat file with a malformed time field

MarcoFalke · MarcoFalke · commit 027e51f71517 · 2020-11-12T09:34:48.000+01:00
ee11a41 Avoid signed integer overflow when loading a mempool.dat file with a malformed time field (practicalswift) Pull request description: Avoid signed integer overflow when loading a `mempool.dat` file with a malformed time field. Avoid the following signed integer overflow: ``` $ xxd -p -r > mempool.dat-crash-1 <<EOF 0100000000000000000000000004000000000000000000000000ffffffff ffffff7f00000000000000000000000000 EOF $ cp mempool.dat-crash-1 ~/.bitcoin/regtest/mempool.dat $ UBSAN_OPTIONS="print_stacktrace=1:halt_on_error=1:report_error_type=1" src/bitcoind -regtest validation.cpp:5079:23: runtime error: signed integer overflow: 9223372036854775807 + 1209600 cannot be represented in type 'long' #0 0x5618d335197f in LoadMempool(CTxMemPool&) src/validation.cpp:5079:23 #1 0x5618d3350df3 in CChainState::LoadMempool(ArgsManager const&) src/validation.cpp:4217:9 #2 0x5618d2b9345f in ThreadImport(ChainstateManager&, std::vector<boost::filesystem::path, std::allocator<boost::filesystem::path> >, ArgsManager const&) src/init.cpp:762:33 #3 0x5618d2b92162 in AppInitMain(util::Ref const&, NodeContext&, interfaces::BlockAndHeaderTipInfo*)::$_14::operator()() const src/init.cpp:1881:9 ``` This PR was broken out from PR bitcoin#20089. Hopefully this PR is trivial to review. Fixes a subset of bitcoin#19278. ACKs for top commit: MarcoFalke: review ACK ee11a41 Crypt-iQ: crACK ee11a41 Tree-SHA512: 227ab95cd7d22f62f3191693b455eacfa8e36534961bee12c622fc9090957cfb29992eabafa74d806a336e03385aa8f98b7ce734f04b0b400e33aa187d353337
diff --git a/src/validation.cpp b/src/validation.cpp
@@ -5084,7 +5084,7 @@ bool LoadMempool(CTxMemPool& pool)
                 pool.PrioritiseTransaction(tx->GetHash(), amountdelta);
             }
             TxValidationState state;
-            if (nTime + nExpiryTimeout > nNow) {
+            if (nTime > nNow - nExpiryTimeout) {
                 LOCK(cs_main);
                 AcceptToMemoryPoolWithTime(chainparams, pool, state, tx, nTime,
                                            nullptr /* plTxnReplaced */, false /* bypass_limits */,

Original file line number	Diff line number	Diff line change
`@@ -5084,7 +5084,7 @@ bool LoadMempool(CTxMemPool& pool)`
`5084`	`5084`	`pool.PrioritiseTransaction(tx->GetHash(), amountdelta);`
`5085`	`5085`	`}`
`5086`	`5086`	`TxValidationState state;`
`5087`		`- if (nTime + nExpiryTimeout > nNow) {`
	`5087`	`+ if (nTime > nNow - nExpiryTimeout) {`
`5088`	`5088`	`LOCK(cs_main);`
`5089`	`5089`	`AcceptToMemoryPoolWithTime(chainparams, pool, state, tx, nTime,`
`5090`	`5090`	`nullptr /* plTxnReplaced /, false / bypass_limits */,`