Overview

I worked on the goals I outlined last week. Other than that, most of my time was devoted to reviewing potential bugs and writing new tests. I fell sick toward the end of the week, which caused some hurdles, but I believe I still managed to get a satisfactory amount of work done.

Goals accomplished

  • Fixed the tlv_unknown target: I took a look at this target at the start of the week, and while I initially suspected that the failure was due to an actual bug, it turned out the issue was in my setup for comparing two tlv_unknown structs. I ended up writing a function to properly compare the structs, which resolved the test failure.

  • Reported to Matt about the potential bug in initial_channel_tx(): I finally put together a write-up and brought the issue to Matt, who got back to me at the end of the week. Based on his response, it seems this is another impossible scenario that shouldn’t occur in real-world usage. That said, I’m still not fully convinced by that conclusion. I plan to revisit the function under test and examine its callers to see if the breakage can be triggered from another path. If I’m unable to find a viable path through the existing callers, I’ll add checks in the target to guard against cases like this.

  • Addressed received feedback: I received some feedback on my previous PRs this week, like the fuzz target for bech32, and a significant portion of my time was spent addressing that feedback.

  • Added a target for gossipd-connectd interface: connectd_req() in gossipd/gossipd.c is responsible for handling messages that gossipd receives from connectd. Since the function follows a stateful structure, I created a stateful fuzzer to simulate its behavior—effectively simulating messages sent from connectd to gossipd. The work on this target is now complete, and I plan to push the change in the near future.

  • Added a target for gossipd-lightningd interface: recv_req() in gossipd/gossipd.c is responsible for handling messages that gossipd receives from lightningd. Since this function also follows a stateful structure, I created a stateful fuzzer to simulate its behavior—effectively simulating messages from lightningd to gossipd. The work on this target is complete as well, and I plan to push the change in the near future.

  • Added a target for gossmap_manage: gossmap_manage.{c, h} defines the operations and structures responsible for managing the gossip map during peer communication. After reviewing the operations, I felt they would make a good candidate for fuzz testing, so I created a stateful fuzz target for them. The core work on the target is complete, but it’s currently encountering memory leak errors. I spent a considerable amount of time trying to resolve the issue, but it appears to be a genuine bug in the code—one that’s a bit too complex for me to tackle alone. I plan to bring it up with Matt for help in the coming week.

Next week’s goals

I resumed my work on adding new fuzz targets and improving existing ones this week and had built up good momentum—until I was sidelined by a fever. It may take a few days to fully recover, but once I’m back to full strength, I plan to return to my regular schedule and continue working on new targets. With this being said, here are some of my immediate goals for the next week:

  • Report to Matt about the potential bug in gossmap_manage: I spent a considerable amount of time this week trying to identify and fix the memory leak issue in this target, but unfortunately, I wasn’t able to resolve it. I’ll need to escalate the issue to Matt and ask for his help—hopefully, it turns out to be an actual bug worth addressing.

  • Follow up on feedback: I received some additional feedback on my PRs toward the end of the week, which I plan to address in the coming week—hopefully, that will wrap things up for those PRs.

  • Work on stateful targets for channeld: After working on the stateful fuzz test for gossipd, I explored the codebase further and noticed that channeld uses a very similar setup for its communication with other daemons. Since the experience I gained from the gossipd tests is directly applicable here, I think it’s worthwhile to add similar stateful fuzz tests for channeld as well.

  • Create targets for common/ code: There are quite a few functions in the common/ directory that would benefit from fuzz testing, given their role in handling untrusted or external input. I plan to add tests for some of these functions in the upcoming week.

Challenges

I came down with a mild fever toward the end of the week, so I wasn’t able to accomplish as much as I had hoped. That said, there’s no point dwelling on it—what’s done is done, and there wasn’t much I could’ve done to prevent it. I’ll focus on recovering quickly so I can get back to working fully on the project. In the meantime, I’ll try to handle some of the easier targets to keep things moving.

I’m happy to share that I finally started tackling more complex targets. While most of them haven’t led to new vulnerabilities being uncovered yet, the experience I’ve gained—both in terms of working on the project and growing as a programmer—has made the effort well worth it. I have a feeling that if I keep pushing in this direction, I might stumble upon something significant soon.

Till next time,

Chandra.

<
Previous Post
SoB: Week 5
>
Next Post
SoB: Week 7