From 9a92d823c8dc4b2febaf965a3a3ee92c4562ee95 Mon Sep 17 00:00:00 2001
From: Chandra Pratap <chandrapratap3519@gmail.com>
Date: Wed, 18 Jun 2025 06:20:32 +0000
Subject: [PATCH 1/3] fuzz-tests: Prevent memory leak in `fuzz-initial_channel`

Changelog-None: The current test can leak memory due to improper
cleanup in the case of an early return. Fix it.
---
 tests/fuzz/fuzz-initial_channel.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tests/fuzz/fuzz-initial_channel.c b/tests/fuzz/fuzz-initial_channel.c
index 5549b36db98c..4fe17b428f7b 100644
--- a/tests/fuzz/fuzz-initial_channel.c
+++ b/tests/fuzz/fuzz-initial_channel.c
@@ -71,8 +71,10 @@ void run(const uint8_t *data, size_t size)
 
 	/* TODO: determine if it makes sense to check at each step for libfuzzer
 	 * to deduce pertinent inputs */
-	if (!data || !size)
+	if (!data || !size) {
+		clean_tmpctx();
 		return;
+	}
 
 	for (enum side opener = 0; opener < NUM_SIDES; opener++) {
 		channel = new_initial_channel(tmpctx, &cid, &funding,

From ecb1ccb0bdc66cc562bb86f726913d66c2fb74e9 Mon Sep 17 00:00:00 2001
From: Chandra Pratap <chandrapratap3519@gmail.com>
Date: Wed, 25 Jun 2025 07:24:04 +0000
Subject: [PATCH 2/3] fuzz-tests: Add tests for untested functions

Currently, `fuzz-initial_channel` doesn't verify the following
functions in its target file, `common/initial_channel.h`:
`channel_update_funding()` and `initial_channel_tx()`.

Add a test for them.
---
 tests/fuzz/fuzz-initial_channel.c | 33 ++++++++++++++++++++++++++++---
 1 file changed, 30 insertions(+), 3 deletions(-)

diff --git a/tests/fuzz/fuzz-initial_channel.c b/tests/fuzz/fuzz-initial_channel.c
index 4fe17b428f7b..18f78aad7713 100644
--- a/tests/fuzz/fuzz-initial_channel.c
+++ b/tests/fuzz/fuzz-initial_channel.c
@@ -29,6 +29,24 @@ void init(int *argc, char ***argv)
 	chainparams = chainparams_for_network("bitcoin");
 }
 
+#define MAX_SATS (u64)WALLY_SATOSHI_PER_BTC * WALLY_BTC_MAX
+
+static void test_channel_update_funding(struct channel *channel, const u8 **cursor, size_t *max) {
+	struct bitcoin_outpoint funding;
+	struct amount_sat funding_sats;
+	s64 splice_amnt;
+
+	if (*max < sizeof(funding) + sizeof(funding_sats) + sizeof(splice_amnt))
+		return;
+
+	fromwire_bitcoin_outpoint(cursor, max, &funding);
+	funding_sats = fromwire_amount_sat(cursor, max);
+	funding_sats.satoshis %= MAX_SATS;
+	splice_amnt = fromwire_s64(cursor, max) % MAX_SATS;
+
+	channel_update_funding(channel, &funding, funding_sats, splice_amnt);
+}
+
 void run(const uint8_t *data, size_t size)
 {
 	struct channel_id cid;
@@ -49,7 +67,7 @@ void run(const uint8_t *data, size_t size)
 	minimum_depth = fromwire_u32(&data, &size);
 	funding_sats = fromwire_amount_sat(&data, &size);
 	local_msatoshi = fromwire_amount_msat(&data, &size);
-	max = AMOUNT_SAT((u32)WALLY_SATOSHI_PER_BTC * WALLY_BTC_MAX);
+	max = AMOUNT_SAT(MAX_SATS);
 	if (amount_sat_greater(funding_sats, max))
 		funding_sats = max;
 	feerate_per_kw = fromwire_u32(&data, &size);
@@ -93,8 +111,17 @@ void run(const uint8_t *data, size_t size)
 					      channel_type,
 					      wumbo, opener);
 
-		/* TODO: make initial_channel_tx() work with ASAN.. */
-		(void)channel;
+		if (channel) {
+			const u8 *wscript;
+			struct wally_tx_output *direct_outputs[NUM_SIDES];
+			char *err_reason = NULL;
+
+			if(!initial_channel_tx(tmpctx, &wscript, channel, &local_funding_pubkey,
+						opener, direct_outputs, &err_reason))
+				assert(err_reason);
+
+			test_channel_update_funding(channel, &data, &size);
+		}
 	}
 
 	clean_tmpctx();

From 7012606c8d6417ae34356208dfe2fb156a151b3b Mon Sep 17 00:00:00 2001
From: Chandra Pratap <chandrapratap3519@gmail.com>
Date: Wed, 25 Jun 2025 07:28:10 +0000
Subject: [PATCH 3/3] fuzz-tests: Add the crashing input to the test's corpus

---
 ...crash-ba4c2f61ced86bf70af5f7c7d2ed3f7042efe9ce | Bin 0 -> 572 bytes
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 tests/fuzz/corpora/fuzz-initial_channel/crash-ba4c2f61ced86bf70af5f7c7d2ed3f7042efe9ce

diff --git a/tests/fuzz/corpora/fuzz-initial_channel/crash-ba4c2f61ced86bf70af5f7c7d2ed3f7042efe9ce b/tests/fuzz/corpora/fuzz-initial_channel/crash-ba4c2f61ced86bf70af5f7c7d2ed3f7042efe9ce
new file mode 100644
index 0000000000000000000000000000000000000000..c9433dab3b82fb19d129286055df52f41981fb23
GIT binary patch
literal 572
zcmcb6mw|zS>1xm2yLTrega5>WyTwp&mlYYPv4YK<q5(7*3`7|iSl_>Y4^;z^W&p~p
zzskkHfUsE;!345^Zo>}l-em#-D=<j`!2vWLtR3QA4i7?R>EKboj7N^9Qr{^v9Ucfw
a4B$w-Yi*5TATXH#BddlJ8Xcf0<pKbF^K}CN

literal 0
HcmV?d00001