From c21cc2034bd4879b9d07506785a377f19a81bd3d Mon Sep 17 00:00:00 2001 From: matejcik Date: Tue, 29 Apr 2025 12:33:15 +0200 Subject: [PATCH] fix(core/protobuf): properly fail on wire type mismatch otherwise we'd happily mis-parse a length-delimited field as a varint one, accepting the length as the varint value and consuming garbage from the length-delimited data for the next fields --- core/embed/rust/src/protobuf/decode.rs | 3 +++ 1 file changed, 3 insertions(+) diff --git a/core/embed/rust/src/protobuf/decode.rs b/core/embed/rust/src/protobuf/decode.rs index aadcffadd5..5c4a21168d 100644 --- a/core/embed/rust/src/protobuf/decode.rs +++ b/core/embed/rust/src/protobuf/decode.rs @@ -100,6 +100,9 @@ impl Decoder { let prim_type = u8::try_from(field_key & 7)?; match msg.field(field_tag) { + Some(field) if field.get_type().primitive_type() != prim_type => { + return Err(error::invalid_value(field.name.into())); + } Some(field) => { let field_value = self.decode_field(stream, field)?; let field_name = Qstr::from(field.name);