1 2017-03-22 02:49:51 <achow101> could someone explain how the latest BU crashing bug works? I know that it is due to an assert, I'm just trying to figure out how that assert is reached
2 2017-03-22 02:54:48 <roasbeef> achow101: looks like they weren't ensuring that the block existed on disk, if the header did. possibly they weren't considering usage of sendheaders/headers usage within the p2p network at the time they were writing the xthin patch (jan of last year)
3 2017-03-22 02:56:00 <achow101> roasbeef: how would the block not exist on disk but the header does?
4 2017-03-22 02:56:16 <roasbeef> so looks if you sent a BU node an xthin inv message for a block that either they weren't aware of, or only had the header of, they'd crash at the assert
5 2017-03-22 02:56:33 <roasbeef> achow101: https://github.com/bitcoin/bips/blob/master/bip-0130.mediawiki
6 2017-03-22 02:56:54 <achow101> well if they weren't aware of it, the check they added after the last bug should catch that
7 2017-03-22 02:57:06 <roasbeef> the last bug was an unkown INV type
8 2017-03-22 02:57:20 <roasbeef> this bug seems to be an xthin INV for a block that they receiving node didn't have
9 2017-03-22 02:57:23 <achow101> the last bug was two bugs, asking for an unknown block and an unknown INV type
10 2017-03-22 02:57:35 <roasbeef> guess it wasn't fully fixed :p
11 2017-03-22 02:57:54 <roasbeef> ftr i'm no export on the bitcoin core codebase, just my interpretation after glancing the code for a min
12 2017-03-22 02:58:51 <achow101> this bug seems difficult to exploit though, you would have to have a header with a valid PoW to send to the node first
13 2017-03-22 03:01:08 <roasbeef> seems like it would just be a race condition: a node sends them the header for a block (it's valid), another node then send an xthin INV _before_ they get the block
14 2017-03-22 03:02:08 <achow101> ah. ok. requires a bit more skill to exploit than the last one
15 2017-03-22 03:02:22 <roasbeef> well you'd just spam em, and hope you got the timing correctly
16 2017-03-22 03:07:06 <roasbeef> the logs people are dumping show an increase in the banscore for the sending peer beore the crash, so would coincide with the spam route
17 2017-03-22 03:07:25 <roasbeef> they're fix isn't public though, as they've moved to a closed source repo, and they're distributing binaries
18 2017-03-22 03:07:37 <roasbeef> their*
19 2017-03-22 03:09:14 <achow101> hmm. interesting. It seems like a bad idea for them to go closed source for this fix given that it is already being exploited
20 2017-03-22 03:09:14 <dgenr8> as attackers probably deduced, the fix was already part of a patch being tested. gotta punch 'em while they're down