Don't rely on calculate_success_probability* to handle amt > cap

Currently we let an `htlc_amount >= channel_capacity` pass through
from `penalty_msat` to
`calculate_success_probability_times_billion`, but only if its only
marginally bigger (less than 65/64ths). This is fine as
`calculate_success_probability_times_billion` handles bogus values
just fine (it will always return a zero probability in such cases).

However, this is risky, and in fact breaks in the coming commits,
so instead check it before ever calling through to the historical
bucket probability calculations.

Author: TheBlueMatt

lightning/src/routing/scoring.rs

@@ -999,7 +999,9 @@ impl<L: Deref<Target = u64>, BRT: Deref<Target = HistoricalBucketRangeTracker>,
 	/// Returns a liquidity penalty for routing the given HTLC `amount_msat` through the channel in
 	/// this direction.
 	fn penalty_msat(&self, amount_msat: u64, params: &ProbabilisticScoringParameters) -> u64 {
-		let max_liquidity_msat = self.max_liquidity_msat();
+		let available_capacity = self.available_capacity();
+		let max_liquidity_msat = available_capacity.saturating_sub(
+			self.decayed_offset_msat(*self.max_liquidity_offset_msat));
 		let min_liquidity_msat = core::cmp::min(self.min_liquidity_msat(), max_liquidity_msat);
 
 		let mut res = if amount_msat <= min_liquidity_msat {
@@ -1030,6 +1032,15 @@ impl<L: Deref<Target = u64>, BRT: Deref<Target = HistoricalBucketRangeTracker>,
 			}
 		};
 
+		if amount_msat >= available_capacity {
+			// We're trying to send more than the capacity, use a max penalty.
+			res = res.saturating_add(Self::combined_penalty_msat(amount_msat,
+				NEGATIVE_LOG10_UPPER_BOUND * 2048,
+				params.historical_liquidity_penalty_multiplier_msat,
+				params.historical_liquidity_penalty_amount_multiplier_msat));
+			return res;
+		}
+
 		if params.historical_liquidity_penalty_multiplier_msat != 0 ||
 		   params.historical_liquidity_penalty_amount_multiplier_msat != 0 {
 			let payment_amt_64th_bucket = if amount_msat < u64::max_value() / 64 {