From d9e67222f59391a4352bd406ed21bed69ae0dc22 Mon Sep 17 00:00:00 2001 From: Wessel Nieboer Date: Wed, 25 Feb 2026 09:11:23 +0100 Subject: [PATCH 1/2] prefs is 5 char length :nerd: --- src/helpers/CommonCLI.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/helpers/CommonCLI.cpp b/src/helpers/CommonCLI.cpp index e20bbb1c0..fd6312734 100644 --- a/src/helpers/CommonCLI.cpp +++ b/src/helpers/CommonCLI.cpp @@ -749,7 +749,7 @@ void CommonCLI::handleCommand(uint32_t sender_timestamp, const char* command, ch _prefs->advert_loc_policy = ADVERT_LOC_SHARE; savePrefs(); strcpy(reply, "ok"); - } else if (memcmp(command+11, "prefs", 4) == 0) { + } else if (memcmp(command+11, "prefs", 5) == 0) { _prefs->advert_loc_policy = ADVERT_LOC_PREFS; savePrefs(); strcpy(reply, "ok"); From dd5c0a00ef173391b2c49e019b11d283af02628b Mon Sep 17 00:00:00 2001 From: Wessel Nieboer Date: Wed, 11 Feb 2026 04:33:30 +0100 Subject: [PATCH 2/2] Validate PATH path_len against MAX_PATH_SIZE before use The path_len field inside decrypted PATH payloads was validated against the decrypted buffer size but not against MAX_PATH_SIZE (64). A malicious contact could send a PATH packet with path_len up to 178, overflowing out_path[64] in onPeerPathRecv and packet->path[64] in sendDirect. Add a MAX_PATH_SIZE check after parsing path_len from the decrypted PATH payload. Also add defensive bounds checks in sendDirect for both the TRACE payload-append path and the normal path-copy path. --- src/Mesh.cpp | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/src/Mesh.cpp b/src/Mesh.cpp index 57fee1403..23a92bf85 100644 --- a/src/Mesh.cpp +++ b/src/Mesh.cpp @@ -155,6 +155,10 @@ DispatcherAction Mesh::onRecvPacket(Packet* pkt) { uint8_t path_len = data[k++]; uint8_t hash_size = (path_len >> 6) + 1; uint8_t hash_count = path_len & 63; + if (hash_size*hash_count > MAX_PATH_SIZE) { + MESH_DEBUG_PRINTLN("%s Mesh::onRecvPacket(): bad PATH path_len=%d exceeds MAX_PATH_SIZE", getLogDateTime(), (int)path_len); + break; + } uint8_t* path = &data[k]; k += hash_size*hash_count; uint8_t extra_type = data[k++] & 0x0F; // upper 4 bits reserved for future use uint8_t* extra = &data[k]; @@ -683,12 +687,20 @@ void Mesh::sendDirect(Packet* packet, const uint8_t* path, uint8_t path_len, uin uint8_t pri; if (packet->getPayloadType() == PAYLOAD_TYPE_TRACE) { // TRACE packets are different // for TRACE packets, path is appended to end of PAYLOAD. (path is used for SNR's) + if (packet->payload_len + path_len > sizeof(packet->payload)) { + _mgr->free(packet); + return; + } memcpy(&packet->payload[packet->payload_len], path, path_len); // NOTE: path_len here can be > 64, and NOT in the new scheme packet->payload_len += path_len; packet->path_len = 0; pri = 5; // maybe make this configurable } else { + if (path_len > MAX_PATH_SIZE) { + _mgr->free(packet); + return; + } packet->path_len = Packet::copyPath(packet->path, path, path_len); if (packet->getPayloadType() == PAYLOAD_TYPE_PATH) { pri = 1; // slightly less priority