lightningd: don't allow invoices with 640 byte descriptions.

rustyrussell · rustyrussell · commit 68241bf2315a · 2025-10-02T09:24:14.000+09:30
They are invalid! This is because our BOLT11_FIELD_BYTE_LIMIT is not the limit, it's one greater than the limit. Reported-by: https://github.com/noblepayne Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> Changelog-Fixed: JSON-RPC: `invoice` no longer accepts 640-byte descriptions (it would produce malformed invoices).
diff --git a/common/bolt11.h b/common/bolt11.h
@@ -9,7 +9,7 @@
 #include <secp256k1_recovery.h>
 
 /* We only have 10 bits for the field length, meaning < 640 bytes */
-#define BOLT11_FIELD_BYTE_LIMIT ((1 << 10) * 5 / 8)
+#define BOLT11_FIELD_BYTE_LIMIT (((1 << 10) * 5 / 8) - 1)
 
 /* BOLT #11:
  * * `c` (24): `data_length` variable.
diff --git a/lightningd/invoice.c b/lightningd/invoice.c
@@ -1137,8 +1137,8 @@ static struct command_result *json_invoice(struct command *cmd,
 
 	if (strlen(desc_val) > BOLT11_FIELD_BYTE_LIMIT && !*hashonly) {
 		return command_fail(cmd, JSONRPC2_INVALID_PARAMS,
-				    "Descriptions greater than %d bytes "
-				    "not yet supported "
+				    "Description greater than %d bytes "
+				    "invalid "
 				    "(description length %zu)",
 				    BOLT11_FIELD_BYTE_LIMIT,
 				    strlen(desc_val));
diff --git a/plugins/keysend.c b/plugins/keysend.c
@@ -564,7 +564,7 @@ static struct command_result *htlc_accepted_call(struct command *cmd,
 					   (const char *)desc_field->value);
 		json_add_string(req->js, "description", desc);
 		/* Don't exceed max possible desc length! */
-		if (strlen(desc) >= BOLT11_FIELD_BYTE_LIMIT)
+		if (strlen(desc) > BOLT11_FIELD_BYTE_LIMIT)
 			json_add_bool(req->js, "deschashonly", true);
 	} else {
 		json_add_string(req->js, "description", "keysend");
diff --git a/tests/test_invoices.py b/tests/test_invoices.py
@@ -937,3 +937,27 @@ def test_invoice_botched_migration(node_factory, chainparams):
     assert ([(i['created_index'], i['label']) for i in l1.rpc.listinvoices()["invoices"]]
             == [(1, "made_after_bad_migration"), (2, "label1")])
     assert l1.rpc.invoice(100, "test", "test")["created_index"] == 3
+
+
+def test_invoice_maxdesc(node_factory, chainparams):
+    l1, l2 = node_factory.line_graph(2)
+
+    # BOLT #11:
+    #
+    # Note that the maximum length of a Tagged Field's `data` is constricted
+    # by the maximum value of `data_length`. This is 1023 x 5 bits, or 639
+    # bytes.
+    maxdesc = "x" * 639
+
+    # This should fail!
+    with pytest.raises(RpcError, match=r'Description greater than 639 bytes invalid \(description length 641\)'):
+        l1.rpc.invoice(123000, 'test_invoice_maxdesc', maxdesc + 'xx')
+
+    # This should also fail, but used to produce
+    # lnbcrt1230n1p5dm097sp545trjl795r3mm86mk4ln5jpjvnh04x8aryl3qadjt99vspu646zspp52hf43ln8vg0564ljwccs8d84xc70ls8n7wdmp75ygp7ll8rprqzsdqq0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rc0pu8s7rcxqyjw5qcqp99qxpqysgqr6l8swzm6jc42ehy4v7s83jrggtwa9ua39cvy46c46tmqwn97mn43ycww7e9cf4w5ws8lxnef2k3m5nfa5c34nz54jaxhzc5e72q0ccq26n9fx
+    with pytest.raises(RpcError, match=r'Description greater than 639 bytes invalid \(description length 640\)'):
+        l1.rpc.invoice(123000, 'test_invoice_maxdesc2', maxdesc + 'x')
+
+    # This should succeed.
+    inv = l1.rpc.invoice(123000, 'test_invoice_maxdesc3', maxdesc)
+    assert l1.rpc.decode(inv['bolt11'])['description'] == maxdesc
