From ce63fca13e9b500e9f687d80a457175ac967a371 Mon Sep 17 00:00:00 2001
From: dergoegge <n.goeggi@gmail.com>
Date: Mon, 28 Nov 2022 16:37:24 +0000
Subject: [PATCH] [net processing] Assume that TxRelay::m_tx_inventory_to_send
 is empty pre-verack

This commit documents our assumption about
TxRelay::m_tx_inventory_to_send being empty prior to version handshake
completion.

The added Assume acts as testing oracle for our fuzzing tests to
potentially detect if the assumption is violated.
---
 src/net_processing.cpp | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/src/net_processing.cpp b/src/net_processing.cpp
index 70e7eb85d8a..6d5eb3a449d 100644
--- a/src/net_processing.cpp
+++ b/src/net_processing.cpp
@@ -3435,6 +3435,20 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
             }
         }
 
+        if (auto tx_relay = peer->GetTxRelay()) {
+            // `TxRelay::m_tx_inventory_to_send` must be empty before the
+            // version handshake is completed as
+            // `TxRelay::m_next_inv_send_time` is first initialised in
+            // `SendMessages` after the verack is received. Any transactions
+            // received during the version handshake would otherwise
+            // immediately be advertised without random delay, potentially
+            // leaking the time of arrival to a spy.
+            Assume(WITH_LOCK(
+                tx_relay->m_tx_inventory_mutex,
+                return tx_relay->m_tx_inventory_to_send.empty() &&
+                       tx_relay->m_next_inv_send_time == 0s));
+        }
+
         pfrom.fSuccessfullyConnected = true;
         return;
     }