sphinx: Check the payload size at construction and in createonion

Fixes #3377

Changelog-Fixed: JSON-RPC: The arguments for `createonion` are now checked to ensure they fit in the onion packet.

common/sphinx.c

@@ -98,7 +98,6 @@ void sphinx_add_hop(struct sphinx_path *path, const struct pubkey *pubkey,
 	sp.raw_payload = tal_dup_arr(path, u8, payload, tal_count(payload), 0);
 	sp.pubkey = *pubkey;
 	tal_arr_expand(&path->hops, sp);
-	assert(sphinx_path_payloads_size(path) <= ROUTING_INFO_SIZE);
 }
 
 /* Small helper to append data to a buffer and update the position
@@ -396,6 +395,12 @@ struct onionpacket *create_onionpacket(
 	struct hop_params *params;
 	struct secret *secrets = tal_arr(ctx, struct secret, num_hops);
 
+	if (sphinx_path_payloads_size(sp) > ROUTING_INFO_SIZE) {
+		tal_free(packet);
+		tal_free(secrets);
+		return NULL;
+	}
+
 	if (sp->session_key == NULL) {
 		sp->session_key = tal(sp, struct secret);
 		randombytes_buf(sp->session_key, sizeof(struct secret));

lightningd/pay.c

@@ -1460,6 +1460,11 @@ static struct command_result *json_createonion(struct command *cmd,
 	for (size_t i=0; i<tal_count(hops); i++)
 		sphinx_add_hop(sp, &hops[i].pubkey, hops[i].raw_payload);
 
+	if (sphinx_path_payloads_size(sp) > ROUTING_INFO_SIZE)
+		return command_fail(
+		    cmd, JSONRPC2_INVALID_PARAMS,
+		    "Payloads exceed maximum onion packet size.");
+
 	packet = create_onionpacket(cmd, sp, &shared_secrets);
 	if (!packet)
 		return command_fail(cmd, LIGHTNINGD,

tests/test_pay.py

@@ -2718,7 +2718,6 @@ def test_partial_payment_htlc_loss(node_factory, bitcoind):
         l1.rpc.waitsendpay(payment_hash=inv['payment_hash'], timeout=TIMEOUT, partid=1)
 
 
-@pytest.mark.xfail(strict=True)
 def test_createonion_limits(node_factory):
     l1, = node_factory.get_nodes(1)
     hops = [{