Skip to content

lightningd: fix segfault when parse_filter fails#8780

Merged
cdecker merged 2 commits intoElementsProject:masterfrom
dovgopoly:fix/seg-fault-logs
Dec 22, 2025
Merged

lightningd: fix segfault when parse_filter fails#8780
cdecker merged 2 commits intoElementsProject:masterfrom
dovgopoly:fix/seg-fault-logs

Conversation

@dovgopoly
Copy link
Collaborator

@dovgopoly dovgopoly commented Dec 10, 2025
edited
Loading

Fixes #8442

parse_filter() expects a JSMN_OBJECT. When not a JSMN_OBJECT is passed to the filter parameter, it called command_fail_badparam() which called command_log() that tried to access c->json_cmd->name, but c->json_cmd was still NULL because find_cmd() hadn't been called yet.

Example that triggered the crash:
./cli/lightning-cli wait -l 'invalid_json_object' -k subsystem=invoices indexname=created nextvalue=0 --network regtest

lightningd: FATAL SIGNAL 11 (version v25.12-21-g3851187-modded)
0x1042d2023 ???
        send_backtrace+0x4f:0
0x1042d20cb ???
        crashdump+0x43:0
0x19fe3b743 ???
        ???:0
0x104180173 command_log
        lightningd/jsonrpc.c:1406
0x10420d8f7 command_fail_badparam
        common/json_command.c:25
0x104181a07 parse_request
        lightningd/jsonrpc.c:1075
0x104181a07 read_json
        lightningd/jsonrpc.c:1216
0x10424c65b next_plan
        ccan/ccan/io/io.c:60
0x10424c65b do_plan
        ccan/ccan/io/io.c:422
0x10424c587 io_ready
        ccan/ccan/io/io.c:439
0x10424dd9b io_loop
        ccan/ccan/io/poll.c:470
0x10417ede7 io_loop_with_timers
        lightningd/io_loop_with_timers.c:22
0x104183a33 main
        lightningd/lightningd.c:1492

@dovgopoly dovgopoly mentioned this pull request Dec 10, 2025
Closed
@madelinevibes
Copy link
Collaborator

madelinevibes commented Dec 10, 2025

@ShahanaFarooqui has investigated the CI failures... Christian and Rusty are working on resolving some CI problems right now.
Once their fixes are applied, we'll get you to rebase and take a closer look if it still fails.

Shahana also noticed you forgot to add a Changelog entry in the commit.... here is the guide. You'll need to fix this: a very important habit! Not adding a Changelog entry can also fail CI (when it's working as expected).

Well done and congratulations on your first PR for CLN!

@ShahanaFarooqui
Copy link
Collaborator

ShahanaFarooqui commented Dec 11, 2025

@dovgopoly Thanks for the PR! I updated your commit message to include a changelog entry. Normally, the CI would fail with a clear error like:

::error::'Changelog' entry is missing in all commits, and 'Changelog-None' not specified in the PR description

However, for some strange reason, the CI didn’t even start the pre-build this time. Adding the changelog message allowed the CI to proceed, and we can investigate further if this issue happens again.

By the way, feel free to edit the commit message as you see fit, I just added it to test the CI flow. :).

@rustyrussell
Copy link
Contributor

rustyrussell commented Dec 11, 2025

Thanks! Great find!

Since this is your first PR I'm going to nitpick!

  1. Please write a quick test (perhaps in tests/test_misc.py) which triggers this: you can have it call out to lightning-cli exactly as you wrote here.
  2. Please include the crash backtrace in the commit msg: this is useful fodder for anyone looking at a similar crash!
  3. Changelog should probably say "Changelog-Fixed: JSON-RPC: fix crash when invalid filter parameter passed in JSON request" since we usually try to start with sub-categories, and CHANGELOG is for users, not (internal) developers.

@dovgopoly
Copy link
Collaborator Author

dovgopoly commented Dec 11, 2025

  1. This segfault is only happened when the --developer mode is off. So it's hard to trigger it in tests. The only approach I found:
def test_filter_with_invalid_json_bug(node_factory):
    l1 = node_factory.get_node(start=False)
    l1.daemon.early_opts = []
    l1.daemon.opts = {k: v for k, v in l1.daemon.opts.items() if not k.startswith('dev')}
    l1.start()

    ret = subprocess.run(['cli/lightning-cli',
                          '--network={}'.format(TEST_NETWORK),
                          '--lightning-dir={}'
                          .format(l1.daemon.lightning_dir),
                          '-l', '1',
                          '-k',
                          'wait',
                          'subsystem=invoices',
                          'indexname=created',
                          'nextvalue=0'])

2-3. Fixed.

@rustyrussell
Copy link
Contributor

rustyrussell commented Dec 12, 2025

And here's the blog post I made about it, with video!

https://rusty.ozlabs.org/2025/12/12/CLN-Neatening-A-Bugfix-PR.html

dovgopoly and others added 2 commits December 12, 2025 13:46
@dovgopoly @rustyrussell
lightningd: fix segfault when parse_filter fails
3ce90f8 
We need to initialize ->json_cmd *before* complaining about malformed
filters.

```
lightningd: FATAL SIGNAL 11 (version v25.12-21-g3851187-modded)
0x1042d2023 ???
        send_backtrace+0x4f:0
0x1042d20cb ???
        crashdump+0x43:0
0x19fe3b743 ???
        ???:0
0x104180173 command_log
        lightningd/jsonrpc.c:1406
0x10420d8f7 command_fail_badparam
        common/json_command.c:25
0x104181a07 parse_request
        lightningd/jsonrpc.c:1075
0x104181a07 read_json
        lightningd/jsonrpc.c:1216
0x10424c65b next_plan
        ccan/ccan/io/io.c:60
0x10424c65b do_plan
        ccan/ccan/io/io.c:422
0x10424c587 io_ready
        ccan/ccan/io/io.c:439
0x10424dd9b io_loop
        ccan/ccan/io/poll.c:470
0x10417ede7 io_loop_with_timers
        lightningd/io_loop_with_timers.c:22
0x104183a33 main
        lightningd/lightningd.c:1492
```

Co-authored-by: Rusty Russell <rusty@rustcorp.com.au>
Changelog-Fixed: JSON-RPC: malformed filters no longer crash lightningd.
@dovgopoly
tests: added *non-developer mode* test for invalid filtering
2ade704
@dovgopoly
Copy link
Collaborator Author

dovgopoly commented Dec 12, 2025

Thanks! It was an awesome blog post :)
I was unsure whether we need to add a test which turns off the dev mode. After your video, I understood that it's not bad. Added some assertions there as well.
I've also added a backtrace to the commit message.
cc @rustyrussell

@cdecker cdecker merged commit dcaa529 into ElementsProject:master Dec 22, 2025
43 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rustyrussell rustyrussell Awaiting requested review from rustyrussell

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

bad jsonrpc filter crashes node

5 participants

@dovgopoly @madelinevibes @ShahanaFarooqui @rustyrussell @cdecker