dev_ping: don't crash with silly values.

It's a dev command, but still. Fixes: #985 Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2025-12-24 01:24:26 +01:00 · 2018-02-20 16:37:18 +10:30
parent 91a9c2923f
commit b536e97df2
2 changed files with 31 additions and 0 deletions
--- a/lightningd/dev_ping.c
+++ b/lightningd/dev_ping.c
@@ -62,6 +62,26 @@ static void json_dev_ping(struct command *cmd,
 		return;
 	}

+	/* BOLT #1:
+	 *
+	 * 1. `type`: a 2-byte big-endian field indicating the type of message
+	 * 2. `payload`
+	 *...
+	 * The size of the message is required by the transport layer to fit
+	 * into a 2-byte unsigned int; therefore, the maximum possible size is
+	 * 65535 bytes.
+	 *...
+	 * 1. type: 18 (`ping`)
+	 * 2. data:
+	 *    * [`2`:`num_pong_bytes`]
+	 *    * [`2`:`byteslen`]
+	 *    * [`byteslen`:`ignored`]
+	 */
+	if (len > 65535 - 2 - 2 - 2) {
+		command_fail(cmd, "%u would result in oversize ping", len);
+		return;
+	}
+
 	if (!json_tok_number(buffer, pongbytestok, &pongbytes)) {
 		command_fail(cmd, "'%.*s' is not a valid number",
 			     pongbytestok->end - pongbytestok->start,
@@ -69,6 +89,12 @@ static void json_dev_ping(struct command *cmd,
 		return;
 	}

+	/* Note that > 65531 is valid: it means "no pong reply" */
+	if (pongbytes > 65535) {
+		command_fail(cmd, "pongbytes %u > 65535", pongbytes);
+		return;
+	}
+
 	if (!json_tok_pubkey(buffer, idtok, &id)) {
 		command_fail(cmd, "'%.*s' is not a valid pubkey",
 			     idtok->end - idtok->start,