Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix long route failure attribution #3709

Merged
merged 1 commit into from
Apr 4, 2025
Merged

Fix long route failure attribution #3709

merged 1 commit into from
Apr 4, 2025
+84 −5

Conversation

joostjager
Copy link
Contributor

An out of bound error could occur when attribution data was provided by the downstream hop for an exceptionally long route. The fix limits the verification of attribution data hmacs up to hop 20. If the sender chooses to use a longer route, failures in the final part of the route won't be attributable.

Fixes #3708

@joostjager
Fix long route failure attribution
42710b5 
An out of bound error could occur when attribution data was provided by
the downstream hop for an exceptionally long route. The fix limits the
verification of attribution data hmacs up to hop 20. If the sender
chooses to use a longer route, failures in the final part of the route
won't be attributable.
@ldk-reviews-bot
Copy link

ldk-reviews-bot commented Apr 4, 2025
edited
Loading

👋 Thanks for assigning @TheBlueMatt as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

@joostjager joostjager requested a review from TheBlueMatt April 4, 2025 12:19
TheBlueMatt
TheBlueMatt approved these changes Apr 4, 2025
View reviewed changes
Copy link
Collaborator

@TheBlueMatt TheBlueMatt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool, thanks. Gonna go ahead and land this because its basically trivial.

@ldk-reviews-bot
Copy link

👋 The first review has been submitted!

Do you think this PR is ready for a second reviewer? If so, click here to assign a second reviewer.

@joostjager
Copy link
Contributor Author

Well not completely trivial although the code change seems to be. I had to look twice at the fix myself. But hopefully the comments explain it well enough.

@TheBlueMatt
Copy link
Collaborator

Well the test is quite compelling :)

@TheBlueMatt TheBlueMatt merged commit 42ab42a into lightningdevkit:main Apr 4, 2025
25 of 27 checks passed
carlaKC
carlaKC reviewed Apr 4, 2025
View reviewed changes
Copy link
Contributor

@carlaKC carlaKC left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

post-merge review, lgtm!

lightning/src/ln/onion_utils.rs
@@ -1144,6 +1144,10 @@ where
.expect("Route we used spontaneously grew invalid keys in the middle of it?");
}

// In the best case, paths can be up to 27 hops. But attribution data can only be conveyed back to the sender from
// the first 20 hops. Determine the number of hops to be used for attribution data.
let attributable_hop_count = usize::min(path.hops.len(), MAX_HOPS);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still find myself wishing that the caller didn't need to concern itself with this level of detail about attributable faliures, but don't see an obvious way to improve it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At the point of interpreting the failure message, there isn't much we can do about it. But one open question is whether we should limit pathfinding to 20 hops instead of 27 in pathfinding, so that we're sure every failure is attributable?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I doubt it's worth it. In the rare case that we are sending more than 20 hops it's probably because someone is doing something insane where they have a many-hop route hint, in which case it's not useful to get attribution data beyond the first handful.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheBlueMatt TheBlueMatt TheBlueMatt approved these changes

@carlaKC carlaKC carlaKC left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OOB access in AttributionData::verify
4 participants
@joostjager @ldk-reviews-bot @TheBlueMatt @carlaKC