fuzz: add raw deserialization targets for SV2 message types

Cover all client-to-TP message types that accept untrusted input:
SetupConnection, RequestTransactionData, SubmitSolution,
CoinbaseOutputConstraints, NetHeader, and NetMsg. Types with both
Serialize and Unserialize include roundtrip invariant checks.

Author: xyephy

src/test/fuzz/CMakeLists.txt

@@ -9,6 +9,7 @@ target_sources(fuzz
   PRIVATE
     fuzz.cpp
     check_globals.cpp
+    sv2_messages.cpp
     sv2_noise.cpp
     ../sv2_test_setup.cpp
 )

src/test/fuzz/sv2_messages.cpp

@@ -0,0 +1,117 @@
+// Copyright (c) 2026-present The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+#include <sv2/messages.h>
+#include <streams.h>
+#include <test/fuzz/fuzz.h>
+#include <test/fuzz/sv2_fuzz_util.h>
+
+#include <cstdint>
+#include <vector>
+
+using node::Sv2MsgType;
+using node::Sv2NetHeader;
+using node::Sv2NetMsg;
+using node::Sv2SetupConnectionMsg;
+using node::Sv2CoinbaseOutputConstraintsMsg;
+using node::Sv2RequestTransactionDataMsg;
+using node::Sv2SubmitSolutionMsg;
+
+// Feed arbitrary bytes into a deserializer.
+// Sanitizers (ASan/UBSan/MSan) catch memory errors along the way.
+template <typename T>
+static void FuzzDeserialize(FuzzBufferType buffer)
+{
+    DataStream ds{buffer};
+    try {
+        T msg;
+        ds >> msg;
+    } catch (const std::ios_base::failure&) {
+    }
+}
+
+// Deserialize, then verify the roundtrip invariant: serialize the
+// result and deserialize again. Only for types with both Serialize
+// and Unserialize.
+template <typename T>
+static void FuzzDeserializeRoundtrip(FuzzBufferType buffer)
+{
+    DataStream ds{buffer};
+    try {
+        T msg;
+        ds >> msg;
+
+        DataStream rt{};
+        rt << msg;
+        T msg2;
+        rt >> msg2;
+    } catch (const std::ios_base::failure&) {
+    }
+}
+
+// Client -> TP messages: these arrive over the network from untrusted
+// peers and are the primary deserialization attack surface.
+// These types have Unserialize only (no Serialize).
+
+FUZZ_TARGET(sv2_setup_connection_raw, .init = Sv2FuzzInitialize)
+{
+    FuzzDeserialize<Sv2SetupConnectionMsg>(buffer);
+}
+
+FUZZ_TARGET(sv2_request_transaction_data_raw, .init = Sv2FuzzInitialize)
+{
+    FuzzDeserialize<Sv2RequestTransactionDataMsg>(buffer);
+}
+
+FUZZ_TARGET(sv2_submit_solution_raw, .init = Sv2FuzzInitialize)
+{
+    FuzzDeserialize<Sv2SubmitSolutionMsg>(buffer);
+}
+
+// CoinbaseOutputConstraints has both Serialize and Unserialize,
+// and uses catch(...) for the optional sigops field -- roundtrip it.
+FUZZ_TARGET(sv2_coinbase_output_constraints_raw, .init = Sv2FuzzInitialize)
+{
+    FuzzDeserializeRoundtrip<Sv2CoinbaseOutputConstraintsMsg>(buffer);
+}
+
+// Sv2NetHeader uses a 24-bit little-endian length encoding and ignores
+// a 2-byte extension type prefix -- unusual parsing worth fuzzing.
+FUZZ_TARGET(sv2_net_header_raw, .init = Sv2FuzzInitialize)
+{
+    DataStream ds{buffer};
+    try {
+        Sv2NetHeader hdr;
+        ds >> hdr;
+
+        // Roundtrip
+        DataStream rt{};
+        rt << hdr;
+        Sv2NetHeader hdr2;
+        rt >> hdr2;
+        assert(hdr.m_msg_type == hdr2.m_msg_type);
+        assert(hdr.m_msg_len == hdr2.m_msg_len);
+    } catch (const std::ios_base::failure&) {
+    }
+}
+
+// Sv2NetMsg::Unserialize calls m_msg.resize(s.size()) which allocates
+// based on remaining stream size -- test with arbitrary input lengths.
+FUZZ_TARGET(sv2_net_msg_raw, .init = Sv2FuzzInitialize)
+{
+    DataStream ds{buffer};
+    try {
+        Sv2NetMsg msg(Sv2MsgType::SETUP_CONNECTION, {});
+        ds >> msg;
+
+        // Roundtrip
+        DataStream rt{};
+        rt << msg;
+        Sv2NetMsg msg2(Sv2MsgType::SETUP_CONNECTION, {});
+        rt >> msg2;
+        assert(msg.m_msg_type == msg2.m_msg_type);
+        assert(msg.m_msg == msg2.m_msg);
+    } catch (const std::ios_base::failure&) {
+    }
+}