Merge pull request #6463 from oasisprotocol/martin/fix/sgx-constraints-validation

martintomazic · web-flow · commit c882498af5c7 · 2026-02-17T10:49:20.000+01:00
go/common/node: Fix possible nil dereference
diff --git a/.changelog/6463.trivial.md b/.changelog/6463.trivial.md
diff --git a/go/common/node/sgx.go b/go/common/node/sgx.go
@@ -111,16 +111,18 @@ func (sc *SGXConstraints) ValidateBasic(cfg *TEEFeatures, isFeatureVersion242 bo
 		return fmt.Errorf("unsupported SGX constraints version: %d", sc.V)
 	}
 
+	if sc.Policy == nil {
+		return nil
+	}
+
 	// Check for TDX enablement.
 	if !cfg.SGX.TDX && sc.Policy.PCS != nil && sc.Policy.PCS.TDX != nil {
 		return fmt.Errorf("TDX policy not supported")
 	}
 
 	// Check that policy is compliant with the current feature version.
-	if sc.Policy != nil {
-		if err := sc.Policy.Validate(isFeatureVersion242); err != nil {
-			return fmt.Errorf("invalid policy: %w", err)
-		}
+	if err := sc.Policy.Validate(isFeatureVersion242); err != nil {
+		return fmt.Errorf("invalid policy: %w", err)
 	}
 
 	return nil
diff --git a/go/common/node/sgx_test.go b/go/common/node/sgx_test.go
@@ -68,6 +68,16 @@ func TestSGXConstraintsV1(t *testing.T) {
 	require.NoError(err, "ValidateBasic V1 SGX constraints")
 }
 
+func TestSGXConstraintsV1NilPolicy(t *testing.T) {
+	require := require.New(t)
+
+	sc := SGXConstraints{
+		Versioned: cbor.NewVersioned(1),
+	}
+	err := sc.ValidateBasic(&TEEFeatures{SGX: TEEFeaturesSGX{PCS: true}}, true)
+	require.NoError(err, "ValidateBasic V1 SGX constraints with nil policy")
+}
+
 func TestSGXAttestationV0(t *testing.T) {
 	require := require.New(t)
 
