From 8cf4bd902bb10689000d533d87af14a0b71f6e3c Mon Sep 17 00:00:00 2001
From: Rusty Russell <rusty@rustcorp.com.au>
Date: Fri, 8 Jan 2021 05:19:47 +1030
Subject: [PATCH] lightningd: fix temporary onion_message leak:

This is fixed when payload is freed, but I noted a leak in the case of
an invalid payload:

```
E           ValueError:
E           Node errors:
E           Global errors:
E            - Node /tmp/ltests-ipt6ab_y/test_sendinvoice_1/lightning-2/ has memory leaks: [
E               {
E                   "backtrace": [
E                       "ccan/ccan/tal/tal.c:442 (tal_alloc_)",
E                       "ccan/ccan/tal/tal.c:471 (tal_alloc_arr_)",
E                       "gossipd/gossipd_wiregen.c:925 (fromwire_gossipd_got_onionmsg_to_us)",
E                       "lightningd/onion_message.c:99 (handle_onionmsg_to_us)",
E                       "lightningd/gossip_control.c:166 (gossip_msg)",
E                       "lightningd/subd.c:480 (sd_msg_read)",
E                       "ccan/ccan/io/io.c:59 (next_plan)",
E                       "ccan/ccan/io/io.c:407 (do_plan)",
E                       "ccan/ccan/io/io.c:417 (io_ready)",
E                       "ccan/ccan/io/poll.c:445 (io_loop)",
E                       "lightningd/io_loop_with_timers.c:24 (io_loop_with_timers)",
E                       "lightningd/lightningd.c:1016 (main)"
E                   ],
E                   "label": "gossipd/gossipd_wiregen.c:925:u8[]",
E                   "parents": [
E                       "lightningd/onion_message.c:96:struct onion_message_hook_payload",
E                       "lightningd/plugin_hook.c:87:struct hook_instance *[]"
E                   ],
E                   "value": "0x560779438db8"
E               }
E           ]
```

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
---
 lightningd/onion_message.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lightningd/onion_message.c b/lightningd/onion_message.c
index 3444c00fa..90690a143 100644
--- a/lightningd/onion_message.c
+++ b/lightningd/onion_message.c
@@ -92,6 +92,7 @@ void handle_onionmsg_to_us(struct lightningd *ld, const u8 *msg)
 	struct onion_message_hook_payload *payload;
 	u8 *submsg;
 	size_t submsglen;
+	const u8 *subptr;
 
 	payload = tal(ld, struct onion_message_hook_payload);
 	payload->om = tlv_onionmsg_payload_new(payload);
@@ -106,12 +107,15 @@ void handle_onionmsg_to_us(struct lightningd *ld, const u8 *msg)
 		return;
 	}
 	submsglen = tal_bytelen(submsg);
-	if (!fromwire_onionmsg_payload(cast_const2(const u8 **, &submsg),
+	subptr = submsg;
+	if (!fromwire_onionmsg_payload(&subptr,
 				       &submsglen, payload->om)) {
+		tal_free(payload);
 		log_broken(ld->log, "bad got_onionmsg_tous om: %s",
 			   tal_hex(tmpctx, msg));
 		return;
 	}
+	tal_free(submsg);
 
 	if (payload->reply_path && !payload->reply_blinding) {
 		log_broken(ld->log,