From 80dfd69a848be40c5c28c3bf5d7adb264a88d47c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20P=C5=82atek?= <pawel.platek@trailofbits.com>
Date: Fri, 12 Apr 2024 18:52:00 +0200
Subject: [PATCH] command_executer - recv infinite loop

The command_executer/src/protocol_helpers.rs has a denial of service bug. The `recv` method may return 0 bytes (the `size`) variable, and this case is not accounted for: the 0 may be added to the `recv_bytes` infinitely.

Similar issue exists in vsock_sample: https://github.com/aws/aws-nitro-enclaves-samples/blob/dc4bba3d99bc4988a87ce7775cf1bc554537da16/vsock_sample/rs/src/protocol_helpers.rs#L45-L52

Correct handling is implemented in python versions and in the kmstool: https://github.com/aws/aws-nitro-enclaves-sdk-c/blob/550f7313bf792bf03200c7c6e1ac3fd7d2dc382f/bin/kmstool-enclave/main.c#L245-L247
---
 samples/command_executer/src/protocol_helpers.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/samples/command_executer/src/protocol_helpers.rs b/samples/command_executer/src/protocol_helpers.rs
index 2cc171fe..9d732df7 100644
--- a/samples/command_executer/src/protocol_helpers.rs
+++ b/samples/command_executer/src/protocol_helpers.rs
@@ -54,6 +54,7 @@ pub fn recv_loop(fd: RawFd, buf: &mut [u8], len: u64) -> Result<(), String> {
 
     while recv_bytes < len {
         let size = match recv(fd, &mut buf[recv_bytes..len], MsgFlags::empty()) {
+            Ok(0) => return Err(format!("{:?}", "Peer closed connection")),
             Ok(size) => size,
             Err(nix::errno::Errno::EINTR) => 0,
             Err(err) => return Err(format!("{:?}", err)),