Fix (and test) panic when our counterparty uses a bogus funding tx

[TheBlueMatt]

During the block API refactor, we started calling
Channel::force_shutdown when a channel is closed due to a bogus
funding tx. However, we still set the channel's state to Shutdown
prior to doing so, leading to an assertion in force_shutdown (that
the channel is not already closed).

This removes the state-set call and adds a (long-overdue) test for
this case.

[codecov]

Codecov Report

Merging #890 (bf5a08e) into main (e6c9228) will increase coverage by 0.75%.
The diff coverage is 88.88%.

❗ Current head bf5a08e differs from pull request most recent head eb42caf. Consider uploading reports for the commit eb42caf to get more accurate results

@@            Coverage Diff             @@
##             main     #890      +/-   ##
==========================================
+ Coverage   90.23%   90.98%   +0.75%     
==========================================
  Files          57       57              
  Lines       29207    33281    +4074     
==========================================
+ Hits        26355    30282    +3927     
- Misses       2852     2999     +147     

Impacted Files	Coverage Δ
lightning/src/ln/channel.rs	87.44% <ø> (+0.20%)	⬆️
lightning/src/ln/channelmanager.rs	86.64% <77.50%> (+3.52%)	⬆️
lightning/src/ln/functional_tests.rs	96.51% <100.00%> (-0.32%)	⬇️
lightning/src/ln/chanmon_update_fail_tests.rs	97.50% <0.00%> (-0.14%)	⬇️
lightning/src/routing/router.rs	96.21% <0.00%> (+0.42%)	⬆️
lightning-invoice/src/ser.rs	84.53% <0.00%> (+0.89%)	⬆️
lightning/src/chain/channelmonitor.rs	96.76% <0.00%> (+1.30%)	⬆️
lightning/src/chain/chainmonitor.rs	96.41% <0.00%> (+1.59%)	⬆️
... and 3 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e6c9228...eb42caf. Read the comment docs.

[ariard]

So I had a look on this and the crash you're describing was there before #838 ?

IIUC, before this PR, in case of bogus transaction we set up ShutdownComplete in Channel::block_connected (now Channel::transactions_confirmed) failure path. Once the function return to ChannelManager::block_connected (now ChannelManager::do_chain_event), the error is processed and Channel::force_shutdown would have been called triggering the crash.

[ariard]

Maybe add reference to CVE-2019-12998+

[TheBlueMatt]

So I had a look on this and the crash you're describing was there before #838 ?

Ouch, huh. That's entirely possible, I just assumed. Updated the commit message.

[jkczyz]

Last commit could be squashed as a fixup.

[TheBlueMatt]

So I had a look on this and the crash you're describing was there before #838 ?

I don't think this is true. Looking at 0.0.13, if we get an Err back from chan.block_connected we push an error message and then we return false. We don't ever call force_shutdown, so there is no assertion. I believe this code hunk caused it - 60b962a#diff-645d12c7269d09caab57d2e0c1fd34f672ee259994c86ad4bad7f4da9183671cR3364.

[TheBlueMatt]

Squashed without changes and reverted to the previous commit message, with a Fixes tag pointing to the specific commit.

[ariard]

Code Review ACK eb42caf

I don't think this is true. Looking at 0.0.13, if we get an Err back from chan.block_connected we push an error message and then we return false. We don't ever call force_shutdown, so there is no assertion. I believe this code hunk caused it - 60b962a#diff-645d12c7269d09caab57d2e0c1fd34f672ee259994c86ad4bad7f4da9183671cR3364.

Yep after verification I was wrong, we did move the force_shutdown call in the Err branch in #838. Bug wasn't there before.