Skip to content

TrafficManagement: don't learn identity from a signer's unsigned NodeInfo#11035

Merged
caveman99 merged 1 commit into
developfrom
tm-nodeinfo-identity-auth
Jul 17, 2026
Merged

TrafficManagement: don't learn identity from a signer's unsigned NodeInfo#11035
caveman99 merged 1 commit into
developfrom
tm-nodeinfo-identity-auth

Conversation

@caveman99

@caveman99 caveman99 commented Jul 16, 2026

Copy link
Copy Markdown
Member

The NodeInfo direct-response path in TrafficManagementModule answered a unicast NodeInfo
request from cache and, as a side effect, called nodeDB->updateUser() with the requester's
decoded User to keep the NodeDB fresh.

That path only handles unicast NodeInfo (!isBroadcast(mp.to)), and unicast NodeInfo is never
signed. So for a node already learned as an XEdDSA signer, the identity carried here cannot be
authenticated the way its signed broadcasts are - the stored long_name/short_name would be
overwritten from an unverified claim.

Skip the identity update when the sender is a known signer and the packet is unsigned. Nodes that
have never signed are learned exactly as before (their identity is not signature-protected
anywhere), and the cached direct response - public info sent back to the requester - is unchanged.

Behavior change: a known signer's User fields are no longer updated from a unicast NodeInfo
request on this path; they continue to update from that node's signed broadcast NodeInfo.

Test (test_traffic_management): a known signer's unicast NodeInfo request still gets a cached
response but no longer overwrites the stored name; the existing non-signer test is the control
that identity learning is otherwise preserved.

Summary by CodeRabbit

  • Bug Fixes

    • Improved protection against spoofed identity information in unsigned NodeInfo requests.
    • Preserves trusted device details while continuing to process valid direct responses.
  • Tests

    • Added coverage to verify unsigned identity claims cannot overwrite stored device information.

…Info

The NodeInfo direct-response path opportunistically called updateUser() with the
requester's decoded User. That path only sees unicast NodeInfo, which is never
signed, so for a node already known to sign its broadcasts the identity claim is
unauthenticated and would overwrite the stored name.

Skip the identity update when the sender is a known signer and the packet is
unsigned; non-signers are still learned as before, and the cached direct response
is unchanged.
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

Traffic management now skips requester identity decoding for unsigned claims from known XEdDSA signers during NodeInfo direct responses. Tests cover cache handling, direct replies, and preservation of the stored signer name.

Changes

NodeInfo signer validation

Layer / File(s) Summary
Direct-response signature validation
src/modules/TrafficManagementModule.cpp
The NodeInfo cache path checks the sender’s signer status and packet signature flag before decoding requester identity data.
Unsigned signer regression coverage
test/test_traffic_management/test_main.cpp
Adds signer hot-store setup and verifies unsigned NodeInfo requests produce a cache response without overwriting the stored long name.

Estimated code review effort: 2 (Simple) | ~10 minutes

Suggested reviewers: nomdetom, thebentern

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is relevant, but it does not follow the repository's required PR template or include the attestations checklist. Rewrite the PR description using the template sections and add the testing/regression attestations, including any devices not tested.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately captures the main change to unsigned NodeInfo identity handling.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch tm-nodeinfo-identity-auth

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
test/test_traffic_management/test_main.cpp (1)

607-612: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Condense multi-line comments to comply with guidelines.

As per coding guidelines, comments should be kept minimal—one or two lines maximum. Consider shortening these explanatory blocks to match the convention:

  • test/test_traffic_management/test_main.cpp#L607-L612: condense the 5-line explanation into one or two lines (e.g., "Verify unsigned unicast NodeInfo requests from known signers do not overwrite their stored identity...").
  • test/test_traffic_management/test_main.cpp#L113-L115: condense the 3-line explanation into a shorter description.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/test_traffic_management/test_main.cpp` around lines 607 - 612, Condense
the explanatory comments in test/test_traffic_management/test_main.cpp at lines
607-612 and 113-115 to one or two concise lines each, preserving their purpose
and distinguishing the signed/unsigned NodeInfo identity-learning behavior; no
code changes are needed.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@test/test_traffic_management/test_main.cpp`:
- Around line 607-612: Condense the explanatory comments in
test/test_traffic_management/test_main.cpp at lines 607-612 and 113-115 to one
or two concise lines each, preserving their purpose and distinguishing the
signed/unsigned NodeInfo identity-learning behavior; no code changes are needed.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 77ac09a0-818f-4a89-9923-6fbbe6319b6a

📥 Commits

Reviewing files that changed from the base of the PR and between f18a8b0 and f71c5d8.

📒 Files selected for processing (2)
  • src/modules/TrafficManagementModule.cpp
  • test/test_traffic_management/test_main.cpp

@github-actions

Copy link
Copy Markdown
Contributor

⚡ Try this PR in the Web Flasher

Note

Building this pull request… the flash button, badges and supported-board
list will appear here automatically once CI finishes.

@thebentern thebentern added the bugfix Pull request that fixes bugs label Jul 17, 2026
@caveman99
caveman99 merged commit ed3afdb into develop Jul 17, 2026
170 of 178 checks passed
@caveman99
caveman99 deleted the tm-nodeinfo-identity-auth branch July 17, 2026 07:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bugfix Pull request that fixes bugs

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants