From 1061b01ab3c727afe848776f765a3b635f66a766 Mon Sep 17 00:00:00 2001
From: Scott Schurr <scott@ripple.com>
Date: Wed, 21 Jul 2021 13:22:26 -0700
Subject: [PATCH 1/4] Improve SLE usage in check cashing

---
 src/ripple/app/tx/impl/CashCheck.cpp | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/src/ripple/app/tx/impl/CashCheck.cpp b/src/ripple/app/tx/impl/CashCheck.cpp
index 9ab6e21e83..9a6df67a53 100644
--- a/src/ripple/app/tx/impl/CashCheck.cpp
+++ b/src/ripple/app/tx/impl/CashCheck.cpp
@@ -255,7 +255,7 @@ CashCheck::doApply()
     // directly on a View.
     PaymentSandbox psb(&ctx_.view());
 
-    auto const sleCheck = psb.peek(keylet::check(ctx_.tx[sfCheckID]));
+    auto sleCheck = psb.peek(keylet::check(ctx_.tx[sfCheckID]));
     if (!sleCheck)
     {
         JLOG(j_.fatal()) << "Precheck did not verify check's existence.";
@@ -263,10 +263,8 @@ CashCheck::doApply()
     }
 
     AccountID const srcId{sleCheck->getAccountID(sfAccount)};
-    auto const sleSrc = psb.peek(keylet::account(srcId));
-    auto const sleDst = psb.peek(keylet::account(account_));
-
-    if (!sleSrc || !sleDst)
+    if (!psb.exists(keylet::account(srcId)) ||
+        !psb.exists(keylet::account(account_)))
     {
         JLOG(ctx_.journal.fatal())
             << "Precheck did not verify source or destination's existence.";
@@ -285,7 +283,7 @@ CashCheck::doApply()
     // work to do...
     auto viewJ = ctx_.app.journal("View");
     auto const optDeliverMin = ctx_.tx[~sfDeliverMin];
-    bool const doFix1623{ctx_.view().rules().enabled(fix1623)};
+    bool const doFix1623{psb.rules().enabled(fix1623)};
     if (srcId != account_)
     {
         STAmount const sendMax{sleCheck->getFieldAmount(sfSendMax)};
@@ -293,7 +291,7 @@ CashCheck::doApply()
         // Flow() doesn't do XRP to XRP transfers.
         if (sendMax.native())
         {
-            // Here we need to calculate the amount of XRP sleSrc can send.
+            // Here we need to calculate the amount of XRP src can send.
             // The amount they have available is their balance minus their
             // reserve.
             //
@@ -380,6 +378,7 @@ CashCheck::doApply()
                     // Set the delivered_amount metadata.
                     ctx_.deliver(result.actualAmountOut);
             }
+            sleCheck = psb.peek(keylet::check(ctx_.tx[sfCheckID]));
         }
     }
 
@@ -388,7 +387,7 @@ CashCheck::doApply()
     if (srcId != account_)
     {
         std::uint64_t const page{(*sleCheck)[sfDestinationNode]};
-        if (!ctx_.view().dirRemove(
+        if (!psb.dirRemove(
                 keylet::ownerDir(account_), page, sleCheck->key(), true))
         {
             JLOG(j_.fatal()) << "Unable to delete check from destination.";
@@ -398,7 +397,7 @@ CashCheck::doApply()
     // Remove check from check owner's directory.
     {
         std::uint64_t const page{(*sleCheck)[sfOwnerNode]};
-        if (!ctx_.view().dirRemove(
+        if (!psb.dirRemove(
                 keylet::ownerDir(srcId), page, sleCheck->key(), true))
         {
             JLOG(j_.fatal()) << "Unable to delete check from owner.";
@@ -406,7 +405,7 @@ CashCheck::doApply()
         }
     }
     // If we succeeded, update the check owner's reserve.
-    adjustOwnerCount(psb, sleSrc, -1, viewJ);
+    adjustOwnerCount(psb, psb.peek(keylet::account(srcId)), -1, viewJ);
 
     // Remove check from ledger.
     psb.erase(sleCheck);

From 53df35eef3058781cbbf5940d23b8e8e0e67d23b Mon Sep 17 00:00:00 2001
From: Edward Hennis <ed@ripple.com>
Date: Wed, 21 Jul 2021 18:10:45 -0400
Subject: [PATCH 2/4] Address OOB read in the base58 decoder:

Under some circumstances, it is possible to induce an out-of-bounds
memory read in the base58 decoder.

This commit addresses this issue.

Acknowledgements:
    Guido Vranken for discovering and responsibly disclosing this issue.

Bug Bounties and Responsible Disclosures:
    We welcome reviews of the rippled code and urge researchers to
    responsibly disclose any issues they may find.

    Ripple is generously sponsoring a bug bounty program for the
    rippled project. For more information please visit:

        https://ripple.com/bug-bounty
---
 src/ripple/protocol/impl/tokens.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ripple/protocol/impl/tokens.cpp b/src/ripple/protocol/impl/tokens.cpp
index ea08d636d9..816d49e40d 100644
--- a/src/ripple/protocol/impl/tokens.cpp
+++ b/src/ripple/protocol/impl/tokens.cpp
@@ -149,7 +149,7 @@ encodeBase58(
 static std::string
 decodeBase58(std::string const& s)
 {
-    auto psz = s.c_str();
+    auto psz = reinterpret_cast<unsigned char const*>(s.c_str());
     auto remain = s.size();
     // Skip and count leading zeroes
     int zeroes = 0;

From e37c108195809be3279bad4c54f5f603603c41db Mon Sep 17 00:00:00 2001
From: Peng Wang <pwang200@gmail.com>
Date: Mon, 9 Aug 2021 18:58:25 -0400
Subject: [PATCH 3/4] Add 'NegativeUNL' as a supported amendment:

The Negative UNL is a feature of the XRP Ledger consensus protocol that
improves liveness (the network's ability to make forward progress) during
a partial outage. Using the Negative UNL, servers adjust their effective
UNLs based on which validators are currently online and operational, so
that a new ledger version can be declared validated even if several trusted
validators are offline.

The Negative UNL has no impact on how the network processes transactions
or what transactions' outcomes are, except that it improves the network's
ability to declare outcomes final during some types of partial outages.

The feature was originally introduced with version **1.6.0** but it was
only possible to manually enable this. If merged, this commit introduces
the amendment associated with the feature so that server operators can
vote on whether to enable this feature.

For more details, please see https://xrpl.org/negative-unl.html

This commit closes #3898.
---
 src/ripple/protocol/impl/Feature.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/ripple/protocol/impl/Feature.cpp b/src/ripple/protocol/impl/Feature.cpp
index 97a1d01d1b..7b519f6153 100644
--- a/src/ripple/protocol/impl/Feature.cpp
+++ b/src/ripple/protocol/impl/Feature.cpp
@@ -131,7 +131,7 @@ detail::supportedAmendments()
         "fix1781",
         "HardenedValidations",
         "fixAmendmentMajorityCalc",
-        //"NegativeUNL",      // Commented out to prevent automatic enablement
+        "NegativeUNL",
         "TicketBatch",
         "FlowSortStrands",
         "fixSTAmountCanonicalize",

From 96bbabbd2ece106779bb544aa0e4ce174e99fdf6 Mon Sep 17 00:00:00 2001
From: Nik Bougalis <nikb@bougalis.net>
Date: Wed, 4 Aug 2021 10:52:58 -0700
Subject: [PATCH 4/4] Set version to 1.7.3

---
 RELEASENOTES.md                        | 14 ++++++++++++++
 src/ripple/protocol/impl/BuildInfo.cpp |  2 +-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/RELEASENOTES.md b/RELEASENOTES.md
index 856fa78864..3b8839d5d4 100644
--- a/RELEASENOTES.md
+++ b/RELEASENOTES.md
@@ -9,6 +9,20 @@ Have new ideas? Need help with setting up your node? Come visit us [here](https:
 
 # Releases
 
+## Version 1.7.3
+
+This is the 1.7.3 release of `rippled`, the reference implementation of the XRP Ledger protocol. This release addresses an OOB memory read identified by Guido Vranken, as well as an unrelated issue identified by the Ripple C++ team that could result in incorrect use of SLEs. Additionally, this version also introduces the `NegativeUNL` amendment, which corresponds to the feature which was introduced with the 1.6.0 release.
+
+## Action Required
+
+If you operate an XRP Ledger server, then you should upgrade to version 1.7.3 at your earliest convenience to mitigate the issues addressed in this hotfix. If a sufficient majority of servers on the network upgrade, the `NegativeUNL` amendment may gain a majority, at which point a two week activation countdown will begin. If the `NegativeUNL` amendment activates, servers running versions of `rippled` prior to 1.7.3 will become [amendment blocked](https://xrpl.org/amendments.html#amendment-blocked).
+
+### Bug Fixes
+
+- **Improve SLE usage in check cashing**: Fixes a situation which could result in the incorrect use of SLEs.
+- **Address OOB in base58 decoder**: Corrects a technical flaw that could allow an out-of-bounds memory read in the Base58 decoder.
+- **Add `NegativeUNL` as a supported amendment**: Introduces an amendment for the Negative UNL feature introduced in `rippled` 1.6.0.
+
 ## Version 1.7.2
 
 This the 1.7.2 release of rippled, the reference server implementation of the XRP Ledger protocol. This release protects against the security issue [CVE-2021-3499](https://www.openssl.org/news/secadv/20210325.txt) affecting OpenSSL, adds an amendment to fix an issue with small offers not being properly removed from order books in some cases, and includes various other minor fixes.
diff --git a/src/ripple/protocol/impl/BuildInfo.cpp b/src/ripple/protocol/impl/BuildInfo.cpp
index 732c74f1a2..21e5c99ccf 100644
--- a/src/ripple/protocol/impl/BuildInfo.cpp
+++ b/src/ripple/protocol/impl/BuildInfo.cpp
@@ -33,7 +33,7 @@ namespace BuildInfo {
 //  and follow the format described at http://semver.org/
 //------------------------------------------------------------------------------
 // clang-format off
-char const* const versionString = "1.7.2"
+char const* const versionString = "1.7.3"
 // clang-format on
 
 #if defined(DEBUG) || defined(SANITIZER)