Description:
Requester validation for KEY_PAIR_INFO is minimum-size oriented and parses required fields, but does not enforce exact full-message parsed-size equality, allowing trailing bytes to be tolerated.
Observed Behavior
Validation checks mostly use >= minimum required sizes.
SPDM 1.4 extension fields are validated for minimum presence.
Extra trailing data can remain accepted if mandatory fields parse correctly.
Expected Behavior
Requester should enforce exact parsed-size match for full KEY_PAIR_INFO layout and reject trailing bytes beyond defined structure.
Impact
Compliance strictness gap in parser behavior.
Potential interoperability ambiguity with non-canonical message encodings.
Severity
Low-Medium (strictness/compliance issue, non-security by itself).
Suggested Fix
After parsing complete layout, require exact size equality with message length and reject extras as invalid size/field. Add UT with syntactically valid payload plus trailing bytes.
Present in Release 3.8.2
Yes, core permissive behavior is also present there.
Description:
Requester validation for KEY_PAIR_INFO is minimum-size oriented and parses required fields, but does not enforce exact full-message parsed-size equality, allowing trailing bytes to be tolerated.
Observed Behavior
Validation checks mostly use >= minimum required sizes.
SPDM 1.4 extension fields are validated for minimum presence.
Extra trailing data can remain accepted if mandatory fields parse correctly.
Expected Behavior
Requester should enforce exact parsed-size match for full KEY_PAIR_INFO layout and reject trailing bytes beyond defined structure.
Impact
Compliance strictness gap in parser behavior.
Potential interoperability ambiguity with non-canonical message encodings.
Severity
Low-Medium (strictness/compliance issue, non-security by itself).
Suggested Fix
After parsing complete layout, require exact size equality with message length and reject extras as invalid size/field. Add UT with syntactically valid payload plus trailing bytes.
Present in Release 3.8.2
Yes, core permissive behavior is also present there.