Disallow sending invalid custom OM TLVs

valentinewallace · valentinewallace · commit bda54b15b76b · 2022-10-18T13:33:45.000-04:00
Onion message data TLV types must be &gt;= 64, enforce this on send
diff --git a/lightning/src/onion_message/functional_tests.rs b/lightning/src/onion_message/functional_tests.rs
@@ -217,6 +217,33 @@ fn reply_path() {
 		format!("Received an onion message with path_id None and a reply_path").to_string(), 2);
 }
 
+#[test]
+fn invalid_custom_message_type() {
+	let nodes = create_nodes(2);
+
+	struct InvalidCustomMessage{}
+	impl CustomOnionMessageContents for InvalidCustomMessage {
+		fn tlv_type(&self) -> u64 {
+			// Onion message contents must have a TLV >= 64.
+			63
+		}
+	}
+
+	impl Writeable for InvalidCustomMessage {
+		fn write<W: Writer>(&self, _w: &mut W) -> Result<(), io::Error> { unreachable!() }
+	}
+
+	impl MaybeReadableArgs<u64> for InvalidCustomMessage {
+		fn read<R: io::Read>(_buffer: &mut R, _message_type: u64) -> Result<Option<Self>, DecodeError> where Self: Sized {
+			unreachable!()
+		}
+	}
+
+	let test_msg = OnionMessageContents::Custom(InvalidCustomMessage {});
+	let err = nodes[0].messenger.send_onion_message(&[], Destination::Node(nodes[1].get_node_pk()), test_msg, None).unwrap_err();
+	assert_eq!(err, SendError::InvalidMessage);
+}
+
 #[test]
 fn peer_buffer_full() {
 	let nodes = create_nodes(2);
diff --git a/lightning/src/onion_message/messenger.rs b/lightning/src/onion_message/messenger.rs
@@ -156,6 +156,8 @@ pub enum SendError {
 	TooFewBlindedHops,
 	/// Our next-hop peer was offline or does not support onion message forwarding.
 	InvalidFirstHop,
+	/// Onion message contents must have a TLV type >= 64.
+	InvalidMessage,
 	/// Our next-hop peer's buffer was full or our total outbound buffer was full.
 	BufferFull,
 }
@@ -205,6 +207,9 @@ impl<Signer: Sign, K: Deref, L: Deref, CMH: Deref> OnionMessenger<Signer, K, L,
 				return Err(SendError::TooFewBlindedHops);
 			}
 		}
+		let OnionMessageContents::Custom(ref msg) = message;
+		if msg.tlv_type() < 64 { return Err(SendError::InvalidMessage) }
+
 		let blinding_secret_bytes = self.keys_manager.get_secure_random_bytes();
 		let blinding_secret = SecretKey::from_slice(&blinding_secret_bytes[..]).expect("RNG is busted");
 		let (introduction_node_id, blinding_point) = if intermediate_nodes.len() != 0 {

Original file line number	Diff line number	Diff line change
`@@ -156,6 +156,8 @@ pub enum SendError {`
`156`	`156`	`TooFewBlindedHops,`
`157`	`157`	`/// Our next-hop peer was offline or does not support onion message forwarding.`
`158`	`158`	`InvalidFirstHop,`
	`159`	`+ /// Onion message contents must have a TLV type >= 64.`
	`160`	`+ InvalidMessage,`
`159`	`161`	`/// Our next-hop peer's buffer was full or our total outbound buffer was full.`
`160`	`162`	`BufferFull,`
`161`	`163`	`}`
`@@ -205,6 +207,9 @@ impl<Signer: Sign, K: Deref, L: Deref, CMH: Deref> OnionMessenger<Signer, K, L,`
`205`	`207`	`return Err(SendError::TooFewBlindedHops);`
`206`	`208`	`}`
`207`	`209`	`}`
	`210`	`+ let OnionMessageContents::Custom(ref msg) = message;`
	`211`	`+ if msg.tlv_type() < 64 { return Err(SendError::InvalidMessage) }`
	`212`	`+`
`208`	`213`	`let blinding_secret_bytes = self.keys_manager.get_secure_random_bytes();`
`209`	`214`	`let blinding_secret = SecretKey::from_slice(&blinding_secret_bytes[..]).expect("RNG is busted");`
`210`	`215`	`let (introduction_node_id, blinding_point) = if intermediate_nodes.len() != 0 {`