Skip to content

TrafficManagement: gate role/NodeInfo cache writes on signer authenticity#11048

Merged
NomDeTom merged 3 commits into
developfrom
trafficmgmt-cache-gating
Jul 17, 2026
Merged

TrafficManagement: gate role/NodeInfo cache writes on signer authenticity#11048
NomDeTom merged 3 commits into
developfrom
trafficmgmt-cache-gating

Conversation

@caveman99

@caveman99 caveman99 commented Jul 17, 2026

Copy link
Copy Markdown
Member

The tier-3 role cache (updateCachedRoleFromNodeInfo) and the PSRAM NodeInfo response cache (cacheNodeInfoPacket) were refreshed from any received NodeInfo without an authenticity check. A spoofed NodeInfo (the sender field is forgeable) could therefore:

  • set a tracked node's cached role, granting the tracker / lost-and-found position-dedup exceptions and pinning the entry against eviction, or
  • overwrite the cached user that direct NodeInfo responses serve to requestors.

Both cache writes now use the same gate the identity-update path already applies: when a node known to sign its NodeInfo (nodeInfoLiteHasXeddsaSigned) sends an unsigned NodeInfo, the update is skipped. Nodes that have never signed are unaffected. No overlap with the existing direct-response updateUser gate; that guards a separate sink.

Summary by CodeRabbit

  • Bug Fixes
    • Prevented unauthenticated (unsigned) NodeInfo packets from updating trusted cached identity details.
    • Ensured NodeInfo processing consistently applies enhanced authentication gating, avoiding unintended updates to cached role data and related refresh behavior.
    • Updated the direct-response handling path to reuse the same authentication decision, preventing unsigned senders from triggering guarded identity overwrites.

…city

The tier-3 role cache and the PSRAM NodeInfo response cache were updated
from any received NodeInfo with no authenticity check, so a spoofed
NodeInfo could set a node's cached role (granting dedup exceptions) or
poison the cached user served in direct responses. Skip both cache
writes when a known signer's NodeInfo arrives unsigned, matching the
identity-update gate on the direct-response path.
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 39d85595-e0b8-4729-9485-af3676f917c8

📥 Commits

Reviewing files that changed from the base of the PR and between 9dc977b and 30be1c8.

📒 Files selected for processing (1)
  • src/modules/TrafficManagementModule.cpp
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/modules/TrafficManagementModule.cpp

📝 Walkthrough

Walkthrough

TrafficManagementModule::handleReceived now reuses sender authentication state to prevent unauthenticated unsigned NODEINFO_APP packets from updating NodeInfo caches, cached roles, or stored identity data.

Changes

NodeInfo authentication handling

Layer / File(s) Summary
Gate NodeInfo identity and cache updates
src/modules/TrafficManagementModule.cpp
The NODEINFO_APP path identifies unsigned NodeInfo from XEdDSA-signed senders, skips PSRAM caching and cached-role refresh, and reuses that result to prevent direct-response identity updates.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR explains the change, but it omits the required attestations/testing section from the repository template. Replace the boilerplate with the template sections and add the Attestations checklist, including which devices were tested and any regression notes.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: restricting role and NodeInfo cache writes based on signer authenticity.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch trafficmgmt-cache-gating

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
src/modules/TrafficManagementModule.cpp (1)

735-736: 🚀 Performance & Scalability | 🔵 Trivial | 💤 Low value

Consider deduplicating the getMeshNode lookup.

This exact senderNode lookup and unauthenticatedSigner calculation are duplicated below at lines 756-757. Since getMeshNode involves an O(N) array traversal, you could optionally hoist this calculation to a higher scope to avoid performing the lookup twice for NODEINFO_APP packets.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/modules/TrafficManagementModule.cpp` around lines 735 - 736, Deduplicate
the sender lookup by hoisting the getMeshNode call and unauthenticatedSigner
calculation into the shared scope used by both paths in the relevant
packet-handling function. Remove the repeated declarations near the NODEINFO_APP
handling while preserving the existing senderNode and signature checks.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@src/modules/TrafficManagementModule.cpp`:
- Around line 735-736: Deduplicate the sender lookup by hoisting the getMeshNode
call and unauthenticatedSigner calculation into the shared scope used by both
paths in the relevant packet-handling function. Remove the repeated declarations
near the NODEINFO_APP handling while preserving the existing senderNode and
signature checks.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: 74301f7b-12cd-43ba-b6ed-26b2c508b426

📥 Commits

Reviewing files that changed from the base of the PR and between ed3afdb and 9dc977b.

📒 Files selected for processing (1)
  • src/modules/TrafficManagementModule.cpp

Compute the sender node lookup and unauthenticated-signer check once per
NodeInfo packet and reuse it for both the cache-refresh gate and the
direct-response identity gate, avoiding a second O(N) getMeshNode scan.
@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

⚡ Try this PR in the Web Flasher

Flash this PR in the Web Flasher

firmware commit boards expires

Warning

This is an automated, unreviewed CI test build. Back up your device configuration
before flashing, and only flash devices you are able to recover.

Supported boards built by this PR (29)
Device Board Platform
Crowpanel Adv 3.5 TFT elecrow-adv-35-tft esp32-s3
Heltec HT62 heltec-ht62-esp32c3-sx1262 esp32-c3
Heltec Mesh Node 096 heltec-mesh-node-t096 nrf52840
Heltec Mesh Node T1 heltec-mesh-node-t1 nrf52840
Heltec Mesh Node T114 heltec-mesh-node-t114 nrf52840
Heltec V3 heltec-v3 esp32-s3
Heltec V4 heltec-v4 esp32-s3
Meshnology W10 meshnology_w10 esp32-s3
Raspberry Pi Pico pico rp2040
Raspberry Pi Pico W picow rp2040
RAK WisMesh Pocket V3 rak_wismesh_pocket nrf52840
RAK WisMesh Repeater Mini V2 rak_wismesh_repeater_mini nrf52840
RAK WisMesh Tag rak_wismeshtag nrf52840
RAK WisBlock 11200 rak11200 esp32
RAK WisBlock 11310 rak11310 rp2040
RAK3312 rak3312 esp32-s3
RAK WisBlock 4631 rak4631 nrf52840
Seeed SenseCAP Mesh-Tracker-X1 seeed_mesh_tracker_X1 nrf52840
Seeed Wio Tracker L1 seeed_wio_tracker_L1 nrf52840
Seeed Xiao NRF52840 Kit seeed_xiao_nrf52840_kit nrf52840
Seeed Xiao ESP32-S3 seeed-xiao-s3 esp32-s3
Station G2 station-g2 esp32-s3
Station G3 station-g3 esp32-s3
LILYGO T-Deck t-deck-tft esp32-s3
LILYGO T-Echo t-echo nrf52840
LILYGO T-Echo Plus t-echo-plus nrf52840
LILYGO T-Impulse Plus t-impulse-plus nrf52840
LilyGo T3-C6 tlora-c6 esp32-c6
Seeed SenseCAP T1000-E tracker-t1000-e nrf52840

Build artifacts expire on 2026-08-16. Updated for f33544e.

@caveman99 caveman99 added the bugfix Pull request that fixes bugs label Jul 17, 2026
@caveman99
caveman99 requested a review from NomDeTom July 17, 2026 09:30

@NomDeTom NomDeTom left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will do the job. There's a couple of wider testing and overall performance points which I'll pick up in a separate PR that builds on this work.

@NomDeTom
NomDeTom merged commit 985b983 into develop Jul 17, 2026
100 checks passed
@thebentern
thebentern deleted the trafficmgmt-cache-gating branch July 17, 2026 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bugfix Pull request that fixes bugs

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants