From 969677d3370361d7257f3c50dc75e4cd274ceb3d Mon Sep 17 00:00:00 2001
From: pasta <pasta@dashboost.org>
Date: Tue, 30 Sep 2025 16:05:25 -0500
Subject: [PATCH 1/2] llmq/signing_shares: guard quorumMember indexing with
 Assume() to avoid OOB writes; improve ToInvString() safety

---
 src/llmq/signing_shares.cpp | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/llmq/signing_shares.cpp b/src/llmq/signing_shares.cpp
index 1c9a911989b5c..d591db4ae9b9d 100644
--- a/src/llmq/signing_shares.cpp
+++ b/src/llmq/signing_shares.cpp
@@ -18,6 +18,7 @@
 #include <netmessagemaker.h>
 #include <spork.h>
 #include <util/irange.h>
+#include <util/check.h>
 #include <util/thread.h>
 #include <util/time.h>
 #include <util/underlying.h>
@@ -93,7 +94,9 @@ std::string CBatchedSigShares::ToInvString() const
     // we use 400 here no matter what the real size is. We don't really care about that size as we just want to call ToString()
     inv.Init(400);
     for (const auto& sigShare : sigShares) {
-        inv.inv[sigShare.first] = true;
+        if (Assume(sigShare.first < inv.inv.size())) {
+            inv.inv[sigShare.first] = true;
+        }
     }
     return inv.ToString();
 }
@@ -1088,7 +1091,7 @@ void CSigSharesManager::CollectSigSharesToAnnounce(const CConnman& connman,
 
             auto& session = nodeState.GetOrCreateSessionFromShare(*sigShare);
 
-            if (session.knows.inv[quorumMember]) {
+            if (Assume(quorumMember < session.knows.inv.size()) && session.knows.inv[quorumMember]) {
                 // he already knows that one
                 continue;
             }
@@ -1099,8 +1102,12 @@ void CSigSharesManager::CollectSigSharesToAnnounce(const CConnman& connman,
                 assert(llmq_params_opt.has_value());
                 inv.Init(llmq_params_opt->size);
             }
-            inv.inv[quorumMember] = true;
-            session.knows.inv[quorumMember] = true;
+            if (Assume(quorumMember < inv.inv.size())) {
+                inv.inv[quorumMember] = true;
+            }
+            if (Assume(quorumMember < session.knows.inv.size())) {
+                session.knows.inv[quorumMember] = true;
+            }
         }
     });
 

From b14d50958652bcf53627f8089f7d408010171fd0 Mon Sep 17 00:00:00 2001
From: pasta <pasta@dashboost.org>
Date: Sat, 4 Oct 2025 06:39:05 -0500
Subject: [PATCH 2/2] --amend

---
 src/llmq/signing_shares.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/llmq/signing_shares.cpp b/src/llmq/signing_shares.cpp
index d591db4ae9b9d..dbed94cd3bf31 100644
--- a/src/llmq/signing_shares.cpp
+++ b/src/llmq/signing_shares.cpp
@@ -17,8 +17,8 @@
 #include <net_processing.h>
 #include <netmessagemaker.h>
 #include <spork.h>
-#include <util/irange.h>
 #include <util/check.h>
+#include <util/irange.h>
 #include <util/thread.h>
 #include <util/time.h>
 #include <util/underlying.h>