Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Passing a huge payload to createonion triggers assert: "common/sphinx.c:101: sphinx_add_hop: Assertion `sphinx_path_payloads_size(path) <= ROUTING_INFO_SIZE' failed." #3377

Closed
jarret opened this issue Dec 26, 2019 · 0 comments · Fixed by #3404
Closed

Passing a huge payload to createonion triggers assert: "common/sphinx.c:101: sphinx_add_hop: Assertion `sphinx_path_payloads_size(path) <= ROUTING_INFO_SIZE' failed." #3377

jarret opened this issue Dec 26, 2019 · 0 comments · Fixed by #3404
Assignees
@cdecker
Milestone
0.8.1

Comments

@jarret
Copy link
Contributor

jarret commented Dec 26, 2019

I am running v0.8.0 (official branch, unpatched unlike was the case in #3370) and am experimenting with creatonion and sendonion

I am constructing custom TLV payloads and was trying to find the upper limit of how big they could be (with knowledge of the 1300 byte onion size, of course). I passed an intentionally-gigantic payload in the hop data into createonion. The payload is comprised of valid extension TLVs after the normal routing TLVs.

[{'payload': 'fd0bd5020203e80403094e810608094cfa0009040000fdad9b00fdad9dfd0bb800002727270100272727020027272703002727270400272727050027272706002727270700272727080027272709002727270a002727270b002727270c002727270d002727270e002727270f0027272710002727271100272727120027272713002727271400272727150027272716002727271700272727180027272719002727271a002727271b002727271c002727271d002727271e002727271f0027272720002727272100272727220027272723002727272400272727250027272726002727272700272727280027272729002727272a002727272b002727272c002727272d002727272e002727272f0027272730002727273100272727320027272733002727273400272727350027272736002727273700272727380027272739002727273a002727273b002727273c002727273d002727273e002727273f0027272740002727274100272727420027272743002727274400272727450027272746002727274700272727480027272749002727274a002727274b002727274c002727274d002727274e002727274f0027272750002727275100272727520027272753002727275400272727550027272756002727275700272727580027272759002727275a002727275b002727275c002727275d002727275e002727275f0027272760002727276100272727620027272763002727276400272727650027272766002727276700272727680027272769002727276a002727276b002727276c002727276d002727276e002727276f0027272770002727277100272727720027272700012727270101272727020127272703012727270401272727050127272706012727270701272727080127272709012727270a012727270b012727270c012727270d012727270e012727270f0127272710012727271101272727120127272713012727271401272727150127272716012727271701272727180127272719012727271a012727271b012727271c012727271d012727271e012727271f0127272720012727272101272727220127272723012727272401272727250127272726012727272701272727280127272729012727272a012727272b012727272c012727272d012727272e012727272f0127272730012727273101272727320127272733012727273401272727350127272736012727273701272727380127272739012727273a012727273b012727273c012727273d012727273e012727273f0127272740012727274101272727420127272743012727274401272727450127272746012727274701272727480127272749012727274a012727274b012727274c012727274d012727274e012727274f0127272750012727275101272727520127272753012727275401272727550127272756012727275701272727580127272759012727275a012727275b012727275c01262b315d012727275e012727275f0127272760012727276101262c32620125374a63012727276401272727650127272766012727276701272727680127272769012727276a012727276b012727276c012727276d012727276e012727276f0127272770012727277101272727720127272700022727270102272727020227272703022727270402272727050227272706022727270702272727080227272709022727270a022727270b022727270c022727270d022727270e022727270f0227272710022727271102272727120227272713022727271402272727150227272716022727271702272727180227272719022727271a022727271b022727271c022727271d022727271e022727271f0227272720022727272102272727220227272723022727272402272727250227272726022727272702272727280227272729022727272a022727272b022727272c022727272d022727272e022727272f0227272730022727273102272727320227272733022727273402272727350227272736022727273702272727380227272739022727273a022727273b022727273c022727273d022727273e022727273f0227272740022727274102272727420227272743022727274402272727450227272746022727274702272727480227272749022727274a022727274b022727274c022727274d022727274e022727274f0227272750022727275102272727520227272753022727275402272727550227272756022727275702272727580227272759022727275a022727275b022727275c02156ca25d022727275e022727275f022727276002243b5061020f78b5620223435f63022727276402272727650227272766022727276702272727680227272769022727276a022727276b022727276c022727276d022727276e022727276f0227272770022727277102272727720227272700032727270103272727020327272703032727270403272727050327272706032727270703272727080327272709032727270a032727270b032727270c032727270d032727270e032727270f0327272710032727271103272727120327272713032727271403272727150327272716032727271703272727180327272719032727271a032727271b032727271c032727271d032727271e032727271f0327272720032727272103272727220327272723032727272403272727250327272726032727272703272727280327272729032727272a032727272b032727272c032727272d032727272e032727272f0327272730032727273103272727320327272733032727273403272727350327272736032727273703272727380327272739032727273a032727273b032727273c032727273d032727273e032727273f0327272740032727274103272727420327272743032727274403272727450327272746032727274703272727480327272749032727274a032727274b032727274c032727274d032727274e032727274f03272727500327272751032727275203272727530327272754032727275503272727560327272757031c5c88580320507559032727275a032727275b03262a2d5c03097ebe5d032727275e032727275f03204f7260030583c66103196496620327272763032727276403272727650327272766032727276703272727680327272769032727276a032727276b032727276c032727276d032727276e032727276f0327272770032727277103272727720327272700042727270104272727020427272703042727270404272727050427272706042727270704272727080427272709042727270a042727270b042727270c042727270d042727270e042727270f0427272710042727271104272727120427272713042727271404272727150427272716042727271704272727180427272719042727271a042727271b042727271c042727271d042727271e042727271f0427272720042727272104272727220427272723042727272404272727250427272726042727272704272727280427272729042727272a042727272b042727272c042727272d042727272e042727272f0427272730042727273104272727320427272733042727273404272727350427272736042727273704272727380427272739042727273a042727273b042727273c042727273d042727273e042727273f0427272740042727274104272727420427272743042727274404272727450427272746042727274704272727480427272749042727274a042727274b042727274c042727274d042727274e042727274f042727275004272727510427272752042727275304272727540427272755042727275604272727570425374958040583c559041273ad5a04243d545b04243c525c040088ce5d04262e375e041a62925f040087cd60040b7dbc6104262c32620427272763042727276404272727650427272766042727276704272727680427272769042727276a042727276b042727276c042727276d042727276e042727276f0427272770042727277104272727720427272700052727270105272727020527272703052727270405272727050527272706052727270705272727080527272709052727270a052727270b052727270c052727270d052727270e052727270f05272727100527272711052727271205272727130527272714052727271505272727160527272717052727271805272727',
  'pubkey': '02e389d861acd9d6f5700c99c6c33dd4460d6f1e2f6ba89d1f4f36be85fc60f8d7',
  'style': 'tlv'},
 {'payload': '2d020203e80403094e8108227f85facdc22b45bfb3a9e4ee48822c6c31736babdcc7c909a985fc6ea379162703e8',
  'pubkey': '035c77dc0a10fe60e1304ae5b57d8fef87751add5d016b896d854fb706be6fc96c',
  'style': 'tlv'}]

Which crashed my node:

2019-12-26T20:48:02.995Z DEBUG lightningd: Feerate estimate for urgent set to 3050 (was 3049)
2019-12-26T20:48:02.995Z DEBUG lightningd: Feerate estimate for normal set to 2972 (was 2961)
2019-12-26T20:48:02.995Z DEBUG lightningd: ... feerate estimate for slow hit floor 253
2019-12-26T20:48:12.415Z DEBUG lightningd: exposeprivate = NULL
2019-12-26T20:48:12.415Z DEBUG gossipd: REPLY WIRE_GOSSIP_GET_INCOMING_CHANNELS_REPLY with 0 fds
2019-12-26T20:48:12.433Z DEBUG hsmd: Client: Received message 8 from client
2019-12-26T20:48:12.454Z DEBUG gossipd: Trying to find a route from (me) to 02e389d861acd9d6f5700c99c6c33dd4460d6f1e2f6ba89d1f4f36be85fc60f8d7 for 601000msat
2019-12-26T20:48:12.454Z DEBUG gossipd: REPLY WIRE_GOSSIP_GETROUTE_REPLY with 0 fds
2019-12-26T20:48:12.459Z DEBUG gossipd: Trying to find a route from 02e389d861acd9d6f5700c99c6c33dd4460d6f1e2f6ba89d1f4f36be85fc60f8d7 to 035c77dc0a10fe60e1304ae5b57d8fef87751add5d016b896d854fb706be6fc96c for 1000msat
2019-12-26T20:48:12.459Z DEBUG gossipd: REPLY WIRE_GOSSIP_GETROUTE_REPLY with 0 fds
2019-12-26T20:48:12.462Z DEBUG gossipd: REPLY WIRE_GOSSIP_GETCHANNELS_REPLY with 0 fds
2019-12-26T20:48:12.465Z DEBUG gossipd: REPLY WIRE_GOSSIP_GETCHANNELS_REPLY with 0 fds
lightningd: common/sphinx.c:101: sphinx_add_hop: Assertion `sphinx_path_payloads_size(path) <= ROUTING_INFO_SIZE' failed.
lightningd: FATAL SIGNAL 6 (version v0.8.0)
0x55c9cf98511a send_backtrace
        common/daemon.c:41
0x55c9cf9851a4 crashdump
        common/daemon.c:54
0x7fcbd387d83f ???
        ???:0
0x7fcbd387d7bb ???
        ???:0
0x7fcbd3868534 ???
        ???:0
0x7fcbd386840e ???
        ???:0
0x7fcbd3876101 ???
        ???:0
0x55c9cf98c097 sphinx_add_hop
        common/sphinx.c:101
0x55c9cf9702d1 json_createonion
        lightningd/pay.c:1461
0x55c9cf9640c0 command_exec
        lightningd/jsonrpc.c:588
0x55c9cf9657ab rpc_command_hook_callback
        lightningd/jsonrpc.c:684
0x55c9cf97d880 plugin_hook_callback
        lightningd/plugin_hook.c:90
0x55c9cf97cb5c plugin_response_handle
        lightningd/plugin.c:258
0x55c9cf97cc86 plugin_read_json_one
        lightningd/plugin.c:356
0x55c9cf97cd5c plugin_read_json
        lightningd/plugin.c:388
0x55c9cf9c0078 next_plan
        ccan/ccan/io/io.c:59
0x55c9cf9c054b do_plan
        ccan/ccan/io/io.c:407
0x55c9cf9c057d io_ready
        ccan/ccan/io/io.c:417
0x55c9cf9c1e35 io_loop
        ccan/ccan/io/poll.c:445
0x55c9cf96286c io_loop_with_timers
        lightningd/io_loop_with_timers.c:24
0x55c9cf966d9c main
        lightningd/lightningd.c:855
0x7fcbd386a09a ???
        ???:0
0x55c9cf955139 ???
        ???:0
0xffffffffffffffff ???
        ???:0
2019-12-26T20:48:12.498Z **BROKEN** lightningd: FATAL SIGNAL 6 (version v0.8.0)
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: common/daemon.c:46 (send_backtrace) 0x55c9cf985162
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: common/daemon.c:54 (crashdump) 0x55c9cf9851a4
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: (null):0 ((null)) 0x7fcbd387d83f
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: (null):0 ((null)) 0x7fcbd387d7bb
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: (null):0 ((null)) 0x7fcbd3868534
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: (null):0 ((null)) 0x7fcbd386840e
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: (null):0 ((null)) 0x7fcbd3876101
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: common/sphinx.c:101 (sphinx_add_hop) 0x55c9cf98c097
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: lightningd/pay.c:1461 (json_createonion) 0x55c9cf9702d1
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: lightningd/jsonrpc.c:588 (command_exec) 0x55c9cf9640c0
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: lightningd/jsonrpc.c:684 (rpc_command_hook_callback) 0x55c9cf9657ab
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: lightningd/plugin_hook.c:90 (plugin_hook_callback) 0x55c9cf97d880
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: lightningd/plugin.c:258 (plugin_response_handle) 0x55c9cf97cb5c
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: lightningd/plugin.c:356 (plugin_read_json_one) 0x55c9cf97cc86
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: lightningd/plugin.c:388 (plugin_read_json) 0x55c9cf97cd5c
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: ccan/ccan/io/io.c:59 (next_plan) 0x55c9cf9c0078
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: ccan/ccan/io/io.c:407 (do_plan) 0x55c9cf9c054b
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: ccan/ccan/io/io.c:417 (io_ready) 0x55c9cf9c057d
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: ccan/ccan/io/poll.c:445 (io_loop) 0x55c9cf9c1e35
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: lightningd/io_loop_with_timers.c:24 (io_loop_with_timers) 0x55c9cf96286c
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: lightningd/lightningd.c:855 (main) 0x55c9cf966d9c
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: (null):0 ((null)) 0x7fcbd386a09a
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: (null):0 ((null)) 0x55c9cf955139
2019-12-26T20:48:12.498Z **BROKEN** lightningd: backtrace: (null):0 ((null)) 0xffffffffffffffff
Log dumped in crash.log.20191226204812
./runld.sh: line 4: 28131 Aborted                 /home/jarret/lightningd-run/lightning/lightningd/lightningd --lightning-dir=/home/jarret/lightningd-run/lightning-dir --pid-file=/home/jarret/lightningd-run/lrun.pid --bitcoin-datadir=/home/jarret/.bitcoin --bitcoin-cli=/home/jarret/.bitcoin/bitcoin-0.18.1/bin/bitcoin-cli --bitcoin-rpcuser=pepe --bitcoin-rpcpassword=thefrog --fee-per-satoshi 1 --log-level=debug --plugin-dir=/home/jarret/lightningd-run/plugins --autocleaninvoice-cycle 3600 --alias "Banana Phone!" --rgb "C4FF5A" --network=bitcoin --zmq-pub-htlc-accepted=tcp://127.0.0.1:6666 --zmq-pub-invoice-payment=tcp://127.0.0.1:5555 --zmq-pub-forward-event=tcp://127.0.0.1:6666 --zmq-pub-connect=tcp://127.0.0.1:5556 --zmq-pub-disconnect=tcp://127.0.0.1:5556 $@

I wold expect it to reject the createonion call with a descriptive "payloads too large" message rather than crashing.

The crash.log:
crash.log.20191226204812.gz
@cdecker cdecker self-assigned this Dec 27, 2019
@cdecker cdecker added this to the 0.8.1 milestone Dec 27, 2019
cdecker added a commit to cdecker/lightning that referenced this issue Jan 8, 2020
@cdecker
pytest: Reproduce issue ElementsProject#3377
5a151a1
cdecker added a commit to cdecker/lightning that referenced this issue Jan 8, 2020
@cdecker
sphinx: Check the payload size at construction and in createonion
34a5747 
Fixes ElementsProject#3377

Changelog-Fixed: JSON-RPC: The arguments for `createonion` are now checked to ensure they fit in the onion packet.
@cdecker cdecker mentioned this issue Jan 8, 2020
Merged
cdecker added a commit to cdecker/lightning that referenced this issue Jan 9, 2020
@cdecker
fixup! pytest: Reproduce issue ElementsProject#3377
2e90e09
cdecker added a commit to cdecker/lightning that referenced this issue Jan 9, 2020
@cdecker
pytest: Reproduce issue ElementsProject#3377
7e86549
cdecker added a commit to cdecker/lightning that referenced this issue Jan 9, 2020
@cdecker
sphinx: Check the payload size at construction and in createonion
191790d 
Fixes ElementsProject#3377

Changelog-Fixed: JSON-RPC: The arguments for `createonion` are now checked to ensure they fit in the onion packet.
@jarret jarret mentioned this issue Jan 9, 2020
Closed
cdecker added a commit that referenced this issue Jan 10, 2020
@cdecker
pytest: Reproduce issue #3377
0eaba56
cdecker added a commit that referenced this issue Jan 10, 2020
@cdecker
sphinx: Check the payload size at construction and in createonion
5e44895 
Fixes #3377

Changelog-Fixed: JSON-RPC: The arguments for `createonion` are now checked to ensure they fit in the onion packet.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cdecker cdecker

Labels
None yet
Projects
None yet
Milestone
0.8.1
Development

Successfully merging a pull request may close this issue.

Check that the createonion arguments don't exceed the onion payload size cdecker/lightning
2 participants
@cdecker @jarret