aljaz/lightning
1
0
Fork 0
mirror of https://github.com/aljazceru/lightning.git synced 2025-12-19 07:04:22 +01:00
Code Issues Packages Projects Releases Wiki Activity

common: don't crash on bad sphinx payload.

Browse Source 
It's cleanest to eliminate the SPHINX_INVALID_PAYLOAD altogether.

lightning_channeld: FATAL SIGNAL (version v0.7.3-242-gb1583bb-modded)
0x55a8169eed08 send_backtrace
	common/daemon.c:41
0x55a8169fc3eb status_failed
	common/status.c:206
0x55a8169fc657 status_backtrace_exit
	common/subdaemon.c:25
0x55a8169eedbb crashdump
	common/daemon.c:57
0x7f0eaff8446f ???
	???:0
0x7f0eaff843eb ???
	???:0
0x7f0eaff63898 ???
	???:0
0x55a8169fb29f route_step_decode
	common/sphinx.c:759
0x55a8169fb60a process_onionpacket
	common/sphinx.c:834
0x55a8169d9b34 get_shared_secret
	channeld/channeld.c:605
0x55a8169d9d35 handle_peer_add_htlc
	channeld/channeld.c:649
0x55a8169dd88d peer_in
	channeld/channeld.c:1838
0x55a8169e11a8 main
	channeld/channeld.c:3233
0x7f0eaff651e2 ???

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
This commit is contained in:
Rusty Russell
2019-12-04 16:24:17 +10:30
committed by Christian Decker
parent f8d8348c9f
commit bb538a1862
3 changed files with 10 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
common/sphinx.c
View File

@@ -549,15 +549,13 @@ static bool sphinx_write_frame(u8 *dest, const struct sphinx_hop *hop)
return true;
}
static void sphinx_parse_payload(struct route_step *step, const u8 *src)
static bool sphinx_parse_payload(struct route_step *step, const u8 *src)
{
size_t hop_size, vsize;
bigsize_t raw_size;
#if !EXPERIMENTAL_FEATURES
if (src[0] != 0x00) {
step->type = SPHINX_INVALID_PAYLOAD;
return;
}
if (src[0] != 0x00)
return false;
#endif
/* BOLT #4:
@@ -583,8 +581,7 @@ static void sphinx_parse_payload(struct route_step *step, const u8 *src)
hop_size = raw_size + vsize + HMAC_SIZE;
step->type = SPHINX_TLV_PAYLOAD;
} else {
step->type = SPHINX_INVALID_PAYLOAD;
return;
return false;
}
/* Copy common pieces over */
@@ -607,10 +604,10 @@ static void sphinx_parse_payload(struct route_step *step, const u8 *src)
if (!fromwire_tlv_payload(&tlv, &max, step->payload.tlv)) {
/* FIXME: record offset of violation for error! */
step->type = SPHINX_INVALID_PAYLOAD;
return;
return false;
}
}
return true;
}
struct onionpacket *create_onionpacket(
@@ -754,7 +751,6 @@ static void route_step_decode(struct route_step *rs)
}
#endif
break;
case SPHINX_INVALID_PAYLOAD:
case SPHINX_RAW_PAYLOAD:
abort();
}
@@ -803,7 +799,8 @@ struct route_step *process_onionpacket(
if (!blind_group_element(&step->next->ephemeralkey, &msg->ephemeralkey, blind))
return tal_free(step);
sphinx_parse_payload(step, paddedheader);
if (!sphinx_parse_payload(step, paddedheader))
return tal_free(step);
/* Extract how many bytes we need to shift away */
if (paddedheader[0] == 0x00) {