multi: add restriction on maximum feature bit in invoices

Base 32 encoded bolt 11 invoices only allow 10 bits to express the length of the feature vector in a tagged field, so there is a much lower limit on the values invoice custom features can hold. Other places in the protocol are theoretically limited by the maximum message size, but since we express a feature bit as u16 we don't need to be concerned about this. The decision is made to track maximum per-set in the feature manager, which is conceptually aware of sets and then validate in lnwire/features against some arbitrary maximum value provided to the caller to keep the base features package unaware of sets.
2025-11-10 06:07:16 +01:00 · 2023-04-25 11:01:52 -04:00
parent 5a139fd297
commit 019127c4f4
4 changed files with 88 additions and 14 deletions
--- a/feature/manager.go
+++ b/feature/manager.go
@@ -221,7 +221,9 @@ func (m *Manager) UpdateFeatureSets(
 			return err
 		}

-		if err := m.Get(set).ValidateUpdate(newFeatures); err != nil {
+		if err := m.Get(set).ValidateUpdate(
+			newFeatures, set.Maximum(),
+		); err != nil {
 			return err
 		}

--- a/feature/set.go
+++ b/feature/set.go
@@ -1,5 +1,11 @@
 package feature

+import (
+	"math"
+
+	"github.com/lightningnetwork/lnd/lnwire"
+)
+
 // Set is an enum identifying various feature sets, which separates the single
 // feature namespace into distinct categories depending what context a feature
 // vector is being used.
@@ -56,3 +62,22 @@ func (s Set) String() string {
 		return "SetUnknown"
 	}
 }
+
+// Maximum returns the maximum allowable value for a feature bit in the context
+// of a set. The maximum feature value we can express differs by set context
+// because the amount of space available varies between protocol messages. In
+// practice this should never be a problem (reasonably one would never hit
+// these high ranges), but we enforce these maximums for the sake of sane
+// validation.
+func (s Set) Maximum() lnwire.FeatureBit {
+	switch s {
+	case SetInvoice, SetInvoiceAmp:
+		return lnwire.MaxBolt11Feature
+
+	// The space available in other sets is > math.MaxUint16, so we just
+	// return the maximum value our expression of a feature bit allows so
+	// that any value will pass.
+	default:
+		return math.MaxUint16
+	}
+}