Skip to content

Draft: Eagerly parse to AnyRelayMsgOuter instead of using UnparsedRelayCell

Jim Newsome requested to merge jnewsome/arti:no-unparsed-relay-cell into main

With prop340 (packing and fragmentation), it doesn't make much sense to pass around an unparsed relay cell, since it could contain multiple messages and/or message fragments.

Initially I was planning to rework UnparsedRelayCell into UnparsedRelayMessage, reconstructing from cell(s) if needed. However, that route makes it less clear what validation is to be done where.

Eagerly parsing into AnyRelayMsgOuter and passing that around instead makes the current code a bit simpler and more robust (e.g. we now can't easily accidentally act on the command-byte without validating that the rest of the message parses), and will simplify the implementation of packing and fragmentation.

The only down-side I can think of is that in cases where a message of the wrong type is received, we'll now fully parse the message before rejecting it. I don't think this appreciably increases our attack surface though. In particular, since the parsing code is all in Rust, it shouldn't make it easier to exercise a parsing bug that results in buffer overflows etc, since such bugs are ~impossible in safe Rust code.

Merge request reports

Loading