From 4905268b65b36d2d1468e2763408cb056cf63b36 Mon Sep 17 00:00:00 2001
From: Valentine Wallace <vwallace@protonmail.com>
Date: Tue, 18 Oct 2022 13:33:45 -0400
Subject: [PATCH] Disallow sending invalid custom OM TLVs

Onion message data TLV types must be >= 64, enforce this on send
---
 .../src/onion_message/functional_tests.rs     | 27 +++++++++++++++++++
 lightning/src/onion_message/messenger.rs      |  5 ++++
 2 files changed, 32 insertions(+)

diff --git a/lightning/src/onion_message/functional_tests.rs b/lightning/src/onion_message/functional_tests.rs
index 356e1f3cd..66ea62bbc 100644
--- a/lightning/src/onion_message/functional_tests.rs
+++ b/lightning/src/onion_message/functional_tests.rs
@@ -217,6 +217,33 @@ fn reply_path() {
 		format!("Received an onion message with path_id None and a reply_path").to_string(), 2);
 }
 
+#[test]
+fn invalid_custom_message_type() {
+	let nodes = create_nodes(2);
+
+	struct InvalidCustomMessage{}
+	impl CustomOnionMessageContents for InvalidCustomMessage {
+		fn tlv_type(&self) -> u64 {
+			// Onion message contents must have a TLV >= 64.
+			63
+		}
+	}
+
+	impl Writeable for InvalidCustomMessage {
+		fn write<W: Writer>(&self, _w: &mut W) -> Result<(), io::Error> { unreachable!() }
+	}
+
+	impl MaybeReadableArgs<u64> for InvalidCustomMessage {
+		fn read<R: io::Read>(_buffer: &mut R, _message_type: u64) -> Result<Option<Self>, DecodeError> where Self: Sized {
+			unreachable!()
+		}
+	}
+
+	let test_msg = OnionMessageContents::Custom(InvalidCustomMessage {});
+	let err = nodes[0].messenger.send_onion_message(&[], Destination::Node(nodes[1].get_node_pk()), test_msg, None).unwrap_err();
+	assert_eq!(err, SendError::InvalidMessage);
+}
+
 #[test]
 fn peer_buffer_full() {
 	let nodes = create_nodes(2);
diff --git a/lightning/src/onion_message/messenger.rs b/lightning/src/onion_message/messenger.rs
index 9c86a44e0..5cf2e1e0d 100644
--- a/lightning/src/onion_message/messenger.rs
+++ b/lightning/src/onion_message/messenger.rs
@@ -156,6 +156,8 @@ pub enum SendError {
 	TooFewBlindedHops,
 	/// Our next-hop peer was offline or does not support onion message forwarding.
 	InvalidFirstHop,
+	/// Onion message contents must have a TLV type >= 64.
+	InvalidMessage,
 	/// Our next-hop peer's buffer was full or our total outbound buffer was full.
 	BufferFull,
 }
@@ -205,6 +207,9 @@ impl<Signer: Sign, K: Deref, L: Deref, CMH: Deref> OnionMessenger<Signer, K, L,
 				return Err(SendError::TooFewBlindedHops);
 			}
 		}
+		let OnionMessageContents::Custom(ref msg) = message;
+		if msg.tlv_type() < 64 { return Err(SendError::InvalidMessage) }
+
 		let blinding_secret_bytes = self.keys_manager.get_secure_random_bytes();
 		let blinding_secret = SecretKey::from_slice(&blinding_secret_bytes[..]).expect("RNG is busted");
 		let (introduction_node_id, blinding_point) = if intermediate_nodes.len() != 0 {
-- 
2.39.5