paritytech · mergify · May 29, 2022 · May 27, 2022 · May 27, 2022 · May 27, 2022
diff --git a/bin/wasm-node/CHANGELOG.md b/bin/wasm-node/CHANGELOG.md
@@ -6,6 +6,10 @@
 
 - The networking code has been considerably refactored. Due to the large size of the change it is possible that unintended changes in behaviour have been introduced. ([#2264](https://github.com/paritytech/smoldot/pull/2264))
 
+### Fixed
+
+- Fix a panic in case of a Noise message with an invalid length. ([#2321](https://github.com/paritytech/smoldot/pull/2321))
+
 ## 0.6.16 - 2022-05-16
 
 ### Added

diff --git a/src/libp2p/connection/noise.rs b/src/libp2p/connection/noise.rs
@@ -272,9 +272,12 @@ impl Noise {
             // Allocate the space to decode to.
             // Each frame consists of the payload plus 16 bytes of authentication data, therefore
             // the payload size is `expected_len - 16`.
+            // We use `saturating_sub` in order to avoid panicking in case the `expected_len` is
+            // invalid. An invalid `expected_len` should trigger an error when decoding the
+            // message below.
             let len_before = self.rx_buffer_decrypted.len();
             self.rx_buffer_decrypted
-                .resize(len_before + expected_len - 16, 0);
+                .resize(len_before + expected_len.saturating_sub(16), 0);
 
             // Finally decoding the data.
             let written = self