Skip to content

Don't panic on bad nonce_size#2584

Merged
evan-oxide merged 3 commits into
masterfrom
evan/nonce-size-panic
Jul 2, 2026
Merged

Don't panic on bad nonce_size#2584
evan-oxide merged 3 commits into
masterfrom
evan/nonce-size-panic

Conversation

@evan-oxide

Copy link
Copy Markdown
Contributor

Before, the SP could cause the RoT to panic by sending it an attest request with a nonce_size larger than the actual blob of nonce data. Now the RoT replies with a BadMessageLength error instead.

This is slightly different than the other uses of BadMessageLength, but I don't think it's worth making a new error variant just for this case and plumbing it through MGS. Tell me if you disagree.

Tested on a grapefruit.

@evan-oxide evan-oxide requested review from flihp and labbott July 1, 2026 18:44

@jamesmunns jamesmunns left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This LGTM, modulo one tiny style nit and one "made me look".

Comment thread drv/lpc55-sprot-server/src/handler.rs Outdated
// Ensure the requester didn't send a bad nonce_size that's
// larger than the actual blob.
let nonce_size = nonce_size as usize;
if nonce_size > req.blob.len() {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tiny nit, I usually prefer something like:

let Some(nonce) = req.blob.get(..nonce_size) else {
    return Err(SprotError::Protocol(
        SprotProtocolError::BadMessageLength,
    ));
};

Ok((
    RspBody::Attest(Ok(AttestRsp::Attest)),
    Some(TrailingData::Attest { nonce, write_size }),
))

which lets you do the "length check" and "subslice" in one step.

@labbott labbott Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have also begun to find joy in let / else

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that's nicer!

/// Unknown message
BadMessageType,
/// Transfer size is outside of maximum and minimum lenghts for message type.
/// Transfer size is outside of maximum and minimum lengths for message

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did go and check, we do check that the nonce is a valid size elsewhere (I think min and max are checked in different places?).

Comment thread drv/lpc55-sprot-server/src/handler.rs Outdated
// Ensure the requester didn't send a bad nonce_size that's
// larger than the actual blob.
let nonce_size = nonce_size as usize;
if nonce_size > req.blob.len() {

@labbott labbott Jul 2, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have also begun to find joy in let / else

@evan-oxide evan-oxide enabled auto-merge (squash) July 2, 2026 16:20
@evan-oxide evan-oxide merged commit 6c7fed9 into master Jul 2, 2026
190 checks passed
@evan-oxide evan-oxide deleted the evan/nonce-size-panic branch July 2, 2026 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants