From 1cc2e567f622b17b61e736ea8dd96ae5a4059edf Mon Sep 17 00:00:00 2001
From: Rusty Russell <rusty@rustcorp.com.au>
Date: Mon, 10 Nov 2025 16:34:43 +1030
Subject: [PATCH 1/3] fuzz/fuzz-handle_onion_message.c: fix header order.

We check this now.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---
 tests/fuzz/fuzz-full_channel.c         |  6 +++---
 tests/fuzz/fuzz-handle_onion_message.c | 10 +++++-----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/tests/fuzz/fuzz-full_channel.c b/tests/fuzz/fuzz-full_channel.c
index 7a5a6a847017..c907f4533704 100644
--- a/tests/fuzz/fuzz-full_channel.c
+++ b/tests/fuzz/fuzz-full_channel.c
@@ -3,15 +3,15 @@
  * from that test.
  */
 #include "config.h"
-#include <fcntl.h>
-#include <common/blockheight_states.h>
 #include <ccan/ccan/array_size/array_size.h>
+#include <channeld/full_channel.h>
+#include <common/blockheight_states.h>
 #include <common/channel_type.h>
 #include <common/fee_states.h>
 #include <common/htlc_wire.h>
 #include <common/setup.h>
 #include <common/status.h>
-#include <channeld/full_channel.h>
+#include <fcntl.h>
 #include <tests/fuzz/libfuzz.h>
 
 /* MOCKS START */
diff --git a/tests/fuzz/fuzz-handle_onion_message.c b/tests/fuzz/fuzz-handle_onion_message.c
index 03112be608c7..0bc4b3085ae9 100644
--- a/tests/fuzz/fuzz-handle_onion_message.c
+++ b/tests/fuzz/fuzz-handle_onion_message.c
@@ -1,18 +1,18 @@
 #include "config.h"
-#include <fcntl.h>
-#include <setjmp.h>
-#include <secp256k1_ecdh.h>
 #include <common/daemon_conn.h>
 #include <common/ecdh.h>
 #include <common/setup.h>
 #include <common/status.h>
 #include <common/wire_error.h>
-#include <connectd/connectd_wiregen.h>
 #include <connectd/connectd.h>
+#include <connectd/connectd_wiregen.h>
 #include <connectd/multiplex.h>
 #include <connectd/onion_message.h>
-#include <wire/peer_wiregen.h>
+#include <fcntl.h>
+#include <secp256k1_ecdh.h>
+#include <setjmp.h>
 #include <tests/fuzz/libfuzz.h>
+#include <wire/peer_wiregen.h>
 
 static int lightningd_fd;
 static struct privkey priv;

From 64df23f23e6706458189d4c5a2cba1dd0664e265 Mon Sep 17 00:00:00 2001
From: Chandra Pratap <chandrapratap3519@gmail.com>
Date: Mon, 10 Nov 2025 16:34:46 +1030
Subject: [PATCH 2/3] fuzz-tests: get rid of magic numbers in
 `fuzz-hsm_encryption.c`

Changelog-None: `fuzz-hsm_encryption.c` hard codes the lengths
sizeof(struct secret) as 32 and crypto_pwhash_argon2id_PASSWD_MAX
as 4294967295. Replace the latter with the former to improve
readability and maintainability.

While at it, replace the `tal_free()` call on our secret key with
`discard_key()`. This has the benefit of testing `discard_key()`.

[ Changed from fuzz-hsm_encryption to fuzz-hsm_secret --RR ]
---
 tests/fuzz/fuzz-hsm_secret.c | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/tests/fuzz/fuzz-hsm_secret.c b/tests/fuzz/fuzz-hsm_secret.c
index 8c5ccc8bf6c4..cedaf0d7e9c5 100644
--- a/tests/fuzz/fuzz-hsm_secret.c
+++ b/tests/fuzz/fuzz-hsm_secret.c
@@ -20,9 +20,9 @@ void init(int *argc, char ***argv)
 
 void run(const uint8_t *data, size_t size)
 {
-	/* 4294967295 is crypto_pwhash_argon2id_PASSWD_MAX. libfuzzer won't
-	 * generate inputs that large in practice, but hey. */
-	if (size > 32 && size < 4294967295) {
+	/* LibFuzzer won't generate inputs larger than
+	 * crypto_pwhash_argon2id_PASSWD_MAX in practice, but hey. */
+	if (size > sizeof(struct secret) && size < crypto_pwhash_argon2id_PASSWD_MAX) {
 		struct secret *hsm_secret, *encryption_key;
 		char *passphrase;
 		u8 encrypted_data[ENCRYPTED_HSM_SECRET_LEN];
@@ -31,8 +31,9 @@ void run(const uint8_t *data, size_t size)
 
 		/* Take the first 32 bytes as the plaintext hsm_secret seed,
 		 * and the remaining ones as the passphrase. */
-		hsm_secret = (struct secret *)tal_dup_arr(NULL, u8, data, 32, 0);
-		passphrase = to_string(NULL, data + 32, size - 32);
+		hsm_secret = (struct secret *)tal_dup_arr(NULL, u8, data, sizeof(struct secret), 0);
+		mlock_tal_memory(hsm_secret);
+		passphrase = to_string(NULL, data + sizeof(struct secret), size - sizeof(struct secret));
 
 		/* A valid seed, a valid passphrase. This should not fail. */
 		encryption_key = get_encryption_key(NULL, passphrase);

From 7d39fad55aa55ea8aa344f81a2fb5ff2fecb5ec4 Mon Sep 17 00:00:00 2001
From: Chandra Pratap <chandrapratap3519@gmail.com>
Date: Mon, 10 Nov 2025 16:34:46 +1030
Subject: [PATCH 3/3] fuzz-tests: Add coverage-increasing inputs to seed
 corpora

Change in the fuzzing scheme of fuzz-hsm_encryption led to the
discovery of test inputs that result in greater in code coverage.
Add these inputs to the test's seed corpus.

[ Changed from fuzz-hsm_encryption to fuzz-hsm_secret --RR ]
---
 .../23310b00d98159b5b169b2b919f4af986233e4a0       |   1 +
 .../25172a8f2d48f9081b884ed5066cb4fc41a7099d       | Bin 0 -> 74 bytes
 2 files changed, 1 insertion(+)
 create mode 100644 tests/fuzz/corpora/fuzz-hsm_secret/23310b00d98159b5b169b2b919f4af986233e4a0
 create mode 100644 tests/fuzz/corpora/fuzz-hsm_secret/25172a8f2d48f9081b884ed5066cb4fc41a7099d

diff --git a/tests/fuzz/corpora/fuzz-hsm_secret/23310b00d98159b5b169b2b919f4af986233e4a0 b/tests/fuzz/corpora/fuzz-hsm_secret/23310b00d98159b5b169b2b919f4af986233e4a0
new file mode 100644
index 000000000000..4662158191f7
--- /dev/null
+++ b/tests/fuzz/corpora/fuzz-hsm_secret/23310b00d98159b5b169b2b919f4af986233e4a0
@@ -0,0 +1 @@
+QQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQQ-
\ No newline at end of file
diff --git a/tests/fuzz/corpora/fuzz-hsm_secret/25172a8f2d48f9081b884ed5066cb4fc41a7099d b/tests/fuzz/corpora/fuzz-hsm_secret/25172a8f2d48f9081b884ed5066cb4fc41a7099d
new file mode 100644
index 0000000000000000000000000000000000000000..af96d3a4d7f0ce02f8e531547b6d0134f83ee0f4
GIT binary patch
literal 74
QcmWFxBo#2g0g6st05GQ%9RL6T

literal 0
HcmV?d00001