Fix crash on deriveaddresses when index is 2147483647 (2^31-1)

[muxator]

This PR is a proposal for fixing #26274 (better described there).

The problem is due to a signed int wrapping when the index parameter of the deriveaddresses RPC call has the value 2^31-1.

for (int i = range_begin; i <= range_end; ++i) {

• the first commit adds a "temporary" test case (test/functional/rpc_deriveaddresses_crash.py) that shows the crash, and can be used to generate a core dump;
• the second commit fixes the problem giving an explicit size to the i variable in a for loop, from int to int64_t. The same commit also removes the ephemeral test case and adds a passing test to test/functional/rpc_deriveaddresses.py, in order to prevent future regressions.

This is my first submission to this project and I do not know its conventions. Please advise if something needs to be changed.

[instagibbs]

Initial NACK on approach, as I believe that's not BIP32 compatible?

e.g. https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki#private-parent-key--private-child-key

"ser32(i)" is implicitly stating that i must be 32 bits long maximum. Throwing an RPC error on detection of potential overflow seems best.

[instagibbs]

@achow101 should descriptors barf when asked to Expand something invalid?

[maflcko]

I don't think this changes behaviour. It only fixes a sanitizer warning

[instagibbs]

ah, my mistake, ignore my comments

[achow101]

Concept ACK

Your first commit introduces a test file that ends up being removed in the second commit. I think it is better to just have the fix in a first commit, and the test in a second. Reviewers can then cherry-pick the test commit onto master to verify that it fails without the first commit. We generally don't want to be introducing stuff in a commit that is going to be removed immediately afterwards. It makes searching through history harder.

[muxator]

I think it is better to just have the fix in a first commit, and the test in a second.

@achow101, I've rewritten the history organizing it as you proposed, thanks for the advice.

[yancyribbens]

Concept ACK

i should be the same size data type as range begin and range end to prevent an overflow.

[DrahtBot]

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

• #22838 (descriptors: Be able to specify change and receiving in a single descriptor string by achow101)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

[willcl-ark]

tACK both commits cherry-picked onto v24.0rc2.

I was able to reproduce the crash before the patch with ./src/bitcoin-cli deriveaddresses "wpkh([d34db33f/84h/0h/0h]xpub6DJ2dNUysrn5Vt36jH2KLBT2i1auw1tTSSomg8PhqNiUtx8QX2SvC9nrHu81fT41fvDUnhMjEzQgXnQjKEu3oaqMSzhSrHMxyyoEAmUHQbY/0/*)#cjjspncu" "[2147483647, 2147483647]".

Afterwards this call succeeded deriving address bc1qpmmpntm7hjmfulr8tuqtyzv9s5ahn9lk857qy4.

[achow101]

ACK 9153ff3

[maflcko]

Marked for backport, so that it is easier to run previous branches with sanitizers enabled

[maflcko]

Actually it is unclear whether this is a behaviour change. It is UB and my compilers happened to optimize the bug away, but there is no guarantee that other compilers or compiler options will do so as well.

[fanquake]

Backported to 24.x in #26410.

[fanquake]

Backported to 23.x in #26411.

[fanquake]

Backported to 22.x in #26413.