fix(transport): bounds-check slicing in BLE and HID framing

AlfioEmanueleFresta · AlfioEmanueleFresta · commit e84a8dba153a · 2026-05-10T21:35:09.000+01:00
In `transport::ble::framing` and `transport::hid::framing`, rewrite
`frame()` / `message()`, `expected_bytes()`, and length helpers to use
`split_first`, `.get()`, and `saturating_sub` instead of direct
indexing. The behaviour is preserved (verified by the existing unit
tests).

In `transport::hid::channel::open` the INIT nonce comparison now uses
`response.payload.get(..INIT_NONCE_LEN)` rather than the previously
panic-prone slice index; the explicit length check on the line above
makes this safe in practice but the lint requires bounded access.
diff --git a/libwebauthn/src/transport/ble/framing.rs b/libwebauthn/src/transport/ble/framing.rs
@@ -126,16 +126,25 @@ impl BleFrameParser {
             ));
         }
 
-        let cmd = self.fragments[0][0].try_into().or(Err(IOError::new(
+        let (initial, continuations) = self
+            .fragments
+            .split_first()
+            .ok_or_else(|| IOError::new(IOErrorKind::InvalidData, "Frame has no fragments"))?;
+        let cmd_byte = *initial
+            .first()
+            .ok_or_else(|| IOError::new(IOErrorKind::InvalidData, "Initial fragment is empty"))?;
+        let cmd = cmd_byte.try_into().or(Err(IOError::new(
             IOErrorKind::InvalidData,
-            format!("Invalid BLE frame command: {:x}", self.fragments[0][0]),
+            format!("Invalid BLE frame command: {:x}", cmd_byte),
         )))?;
         let mut data = vec![];
-        data.extend(&self.fragments[0][INITIAL_FRAGMENT_HEADER_LENGTH..self.fragments[0].len()]);
-        for cont_fragment in &self.fragments[1..self.fragments.len()] {
-            data.extend_from_slice(
-                &cont_fragment[CONT_FRAGMENT_HEADER_LENGTH..cont_fragment.len()],
-            );
+        if let Some(initial_data) = initial.get(INITIAL_FRAGMENT_HEADER_LENGTH..) {
+            data.extend(initial_data);
+        }
+        for cont_fragment in continuations {
+            if let Some(cont_data) = cont_fragment.get(CONT_FRAGMENT_HEADER_LENGTH..) {
+                data.extend_from_slice(cont_data);
+            }
         }
 
         Ok(BleFrame::new(cmd, &data))
@@ -154,22 +163,23 @@ impl BleFrameParser {
     }
 
     fn expected_bytes(&self) -> Option<usize> {
-        if self.fragments.is_empty() {
-            return None;
-        }
-
-        let mut cursor = IOCursor::new(vec![self.fragments[0][1], self.fragments[0][2]]);
+        let initial = self.fragments.first()?;
+        let b1 = *initial.get(1)?;
+        let b2 = *initial.get(2)?;
+        let mut cursor = IOCursor::new(vec![b1, b2]);
         Some(cursor.read_u16::<BigEndian>().ok()? as usize)
     }
 
     fn data_len(&self) -> usize {
-        if self.fragments.is_empty() {
+        let Some((initial, continuations)) = self.fragments.split_first() else {
             return 0;
-        }
+        };
 
-        let mut data_len = self.fragments[0].len() - INITIAL_FRAGMENT_HEADER_LENGTH;
-        for cont_fragment in &self.fragments[1..self.fragments.len()] {
-            data_len += cont_fragment.len() - CONT_FRAGMENT_HEADER_LENGTH;
+        let mut data_len = initial.len().saturating_sub(INITIAL_FRAGMENT_HEADER_LENGTH);
+        for cont_fragment in continuations {
+            data_len += cont_fragment
+                .len()
+                .saturating_sub(CONT_FRAGMENT_HEADER_LENGTH);
         }
         data_len
     }
diff --git a/libwebauthn/src/transport/hid/channel.rs b/libwebauthn/src/transport/hid/channel.rs
@@ -189,7 +189,11 @@ impl<'d> HidChannel<'d> {
             return Err(Error::Transport(TransportError::InvalidEndpoint));
         }
 
-        if response.payload[0..INIT_NONCE_LEN] != nonce[0..INIT_NONCE_LEN] {
+        let payload_nonce = response
+            .payload
+            .get(..INIT_NONCE_LEN)
+            .ok_or(Error::Transport(TransportError::InvalidEndpoint))?;
+        if payload_nonce != nonce.as_slice() {
             warn!("INIT nonce mismatch. Terminating.");
             return Err(Error::Transport(TransportError::InvalidEndpoint));
         }
diff --git a/libwebauthn/src/transport/hid/framing.rs b/libwebauthn/src/transport/hid/framing.rs
@@ -147,22 +147,21 @@ impl HidMessageParser {
     }
 
     fn expected_bytes(&self) -> Option<usize> {
-        if self.packets.is_empty() {
-            return None;
-        }
-
-        let mut cursor = IOCursor::new(vec![self.packets[0][5], self.packets[0][6]]);
+        let initial = self.packets.first()?;
+        let b5 = *initial.get(5)?;
+        let b6 = *initial.get(6)?;
+        let mut cursor = IOCursor::new(vec![b5, b6]);
         Some(cursor.read_u16::<BigEndian>().ok()? as usize)
     }
 
     fn payload_len(&self) -> usize {
-        if self.packets.is_empty() {
+        let Some((initial, continuations)) = self.packets.split_first() else {
             return 0;
-        }
+        };
 
-        let mut payload_len = self.packets[0].len() - PACKET_INITIAL_HEADER_SIZE;
-        for cont_packet in &self.packets[1..self.packets.len()] {
-            payload_len += cont_packet.len() - PACKET_CONT_HEADER_SIZE;
+        let mut payload_len = initial.len().saturating_sub(PACKET_INITIAL_HEADER_SIZE);
+        for cont_packet in continuations {
+            payload_len += cont_packet.len().saturating_sub(PACKET_CONT_HEADER_SIZE);
         }
         payload_len
     }
@@ -175,7 +174,11 @@ impl HidMessageParser {
             ));
         }
 
-        let mut cursor = IOCursor::new(&self.packets[0]);
+        let (initial, continuations) = self
+            .packets
+            .split_first()
+            .ok_or_else(|| IOError::new(IOErrorKind::InvalidData, "Message has no packets"))?;
+        let mut cursor = IOCursor::new(initial);
         let cid = cursor.read_u32::<BigEndian>()?;
         let cmd = cursor.read_u8()? ^ PACKET_INITIAL_CMD_MASK;
         let Ok(cmd) = cmd.try_into() else {
@@ -188,9 +191,13 @@ impl HidMessageParser {
         let expected_size = cursor.read_u16::<BigEndian>()?;
 
         let mut payload = vec![];
-        payload.extend(&self.packets[0][PACKET_INITIAL_HEADER_SIZE..]);
-        for cont_packet in &self.packets[1..] {
-            payload.extend_from_slice(&cont_packet[PACKET_CONT_HEADER_SIZE..]);
+        if let Some(initial_payload) = initial.get(PACKET_INITIAL_HEADER_SIZE..) {
+            payload.extend(initial_payload);
+        }
+        for cont_packet in continuations {
+            if let Some(cont_payload) = cont_packet.get(PACKET_CONT_HEADER_SIZE..) {
+                payload.extend_from_slice(cont_payload);
+            }
         }
 
         payload.truncate(expected_size as usize);

Original file line number	Diff line number	Diff line change
`@@ -189,7 +189,11 @@ impl<'d> HidChannel<'d> {`
`189`	`189`	`return Err(Error::Transport(TransportError::InvalidEndpoint));`
`190`	`190`	`}`
`191`	`191`
`192`		`- if response.payload[0..INIT_NONCE_LEN] != nonce[0..INIT_NONCE_LEN] {`
	`192`	`+ let payload_nonce = response`
	`193`	`+ .payload`
	`194`	`+ .get(..INIT_NONCE_LEN)`
	`195`	`+ .ok_or(Error::Transport(TransportError::InvalidEndpoint))?;`
	`196`	`+ if payload_nonce != nonce.as_slice() {`
`193`	`197`	`warn!("INIT nonce mismatch. Terminating.");`
`194`	`198`	`return Err(Error::Transport(TransportError::InvalidEndpoint));`
`195`	`199`	`}`