[net processing] Assume that TxRelay::m_tx_inventory_to_send is empty pre-verack

This commit documents our assumption about
TxRelay::m_tx_inventory_to_send being empty prior to version handshake
completion.

The added Assume acts as testing oracle for our fuzzing tests to
potentially detect if the assumption is violated.

Github-Pull: #26569
Rebased-From: ce63fca13e9b500e9f687d80a457175ac967a371

1 files changed, 15 insertions, 0 deletions

diff --git a/src/net_processing.cpp b/src/net_processing.cpp
index 1b333eb0b7..3edc051034 100644
--- a/src/net_processing.cpp
+++ b/src/net_processing.cpp
@@ -3403,6 +3403,21 @@ void PeerManagerImpl::ProcessMessage(CNode& pfrom, const std::string& msg_type,
             // they may wish to request compact blocks from us
             m_connman.PushMessage(&pfrom, msgMaker.Make(NetMsgType::SENDCMPCT, /*high_bandwidth=*/false, /*version=*/CMPCTBLOCKS_VERSION));
         }
+
+        if (auto tx_relay = peer->GetTxRelay()) {
+            // `TxRelay::m_tx_inventory_to_send` must be empty before the
+            // version handshake is completed as
+            // `TxRelay::m_next_inv_send_time` is first initialised in
+            // `SendMessages` after the verack is received. Any transactions
+            // received during the version handshake would otherwise
+            // immediately be advertised without random delay, potentially
+            // leaking the time of arrival to a spy.
+            Assume(WITH_LOCK(
+                tx_relay->m_tx_inventory_mutex,
+                return tx_relay->m_tx_inventory_to_send.empty() &&
+                       tx_relay->m_next_inv_send_time == 0s));
+        }
+
         pfrom.fSuccessfullyConnected = true;
         return;
     }