Transcript for #bitcoin-dev 2017/03/22

02:49 achow101 could someone explain how the latest BU crashing bug works? I know that it is due to an assert, I'm just trying to figure out how that assert is reached
02:54 roasbeef achow101: looks like they weren't ensuring that the block existed on disk, if the header did. possibly they weren't considering usage of sendheaders/headers usage within the p2p network at the time they were writing the xthin patch (jan of last year)
02:56 achow101 roasbeef: how would the block not exist on disk but the header does?
02:56 roasbeef so looks if you sent a BU node an xthin inv message for a block that either they weren't aware of, or only had the header of, they'd crash at the assert
02:56 roasbeef achow101:
02:56 achow101 well if they weren't aware of it, the check they added after the last bug should catch that
02:57 roasbeef the last bug was an unkown INV type
02:57 roasbeef this bug seems to be an xthin INV for a block that they receiving node didn't have
02:57 achow101 the last bug was two bugs, asking for an unknown block and an unknown INV type
02:57 roasbeef guess it wasn't fully fixed :p
02:57 roasbeef ftr i'm no export on the bitcoin core codebase, just my interpretation after glancing the code for a min
02:58 achow101 this bug seems difficult to exploit though, you would have to have a header with a valid PoW to send to the node first
03:01 roasbeef seems like it would just be a race condition: a node sends them the header for a block (it's valid), another node then send an xthin INV _before_ they get the block
03:02 achow101 ah. ok. requires a bit more skill to exploit than the last one
03:02 roasbeef well you'd just spam em, and hope you got the timing correctly
03:07 roasbeef the logs people are dumping show an increase in the banscore for the sending peer beore the crash, so would coincide with the spam route
03:07 roasbeef they're fix isn't public though, as they've moved to a closed source repo, and they're distributing binaries
03:07 roasbeef their*
03:09 achow101 hmm. interesting. It seems like a bad idea for them to go closed source for this fix given that it is already being exploited
03:09 dgenr8 as attackers probably deduced, the fix was already part of a patch being tested. gotta punch 'em while they're down