From d9e67222f59391a4352bd406ed21bed69ae0dc22 Mon Sep 17 00:00:00 2001 From: Wessel Nieboer Date: Wed, 25 Feb 2026 09:11:23 +0100 Subject: [PATCH 1/2] prefs is 5 char length :nerd: --- src/helpers/CommonCLI.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/helpers/CommonCLI.cpp b/src/helpers/CommonCLI.cpp index e20bbb1c0..fd6312734 100644 --- a/src/helpers/CommonCLI.cpp +++ b/src/helpers/CommonCLI.cpp @@ -749,7 +749,7 @@ void CommonCLI::handleCommand(uint32_t sender_timestamp, const char* command, ch _prefs->advert_loc_policy = ADVERT_LOC_SHARE; savePrefs(); strcpy(reply, "ok"); - } else if (memcmp(command+11, "prefs", 4) == 0) { + } else if (memcmp(command+11, "prefs", 5) == 0) { _prefs->advert_loc_policy = ADVERT_LOC_PREFS; savePrefs(); strcpy(reply, "ok"); From ac74cb08e24128225d8a2c86bcea1ca7e0fe878c Mon Sep 17 00:00:00 2001 From: Wessel Nieboer Date: Wed, 11 Feb 2026 04:16:44 +0100 Subject: [PATCH 2/2] fix out_frame buffer overflow in companion radio response handlers The onContactResponse handler copies peer response data into out_frame (MAX_FRAME_SIZE + 1 bytes) without checking whether the data fits. A peer response with len close to MAX_PACKET_PAYLOAD (184) writes up to 188 bytes into the 173-byte buffer, overflowing by 15 bytes. This affects the status response, telemetry response, and binary response code paths. A malicious peer can trigger the overflow by sending a large response payload, corrupting the stack. Cap each memcpy to the remaining space in out_frame before copying. --- examples/companion_radio/MyMesh.cpp | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/examples/companion_radio/MyMesh.cpp b/examples/companion_radio/MyMesh.cpp index 1f71a9bc6..041fbb426 100644 --- a/examples/companion_radio/MyMesh.cpp +++ b/examples/companion_radio/MyMesh.cpp @@ -654,8 +654,10 @@ void MyMesh::onContactResponse(const ContactInfo &contact, const uint8_t *data, out_frame[i++] = 0; // reserved memcpy(&out_frame[i], contact.id.pub_key, 6); i += 6; // pub_key_prefix - memcpy(&out_frame[i], &data[4], len - 4); - i += (len - 4); + int copy_len = len - 4; + if (copy_len > MAX_FRAME_SIZE - i) copy_len = MAX_FRAME_SIZE - i; + memcpy(&out_frame[i], &data[4], copy_len); + i += copy_len; _serial->writeFrame(out_frame, i); } else if (len > 4 && tag == pending_telemetry) { // check for matching response tag pending_telemetry = 0; @@ -665,8 +667,10 @@ void MyMesh::onContactResponse(const ContactInfo &contact, const uint8_t *data, out_frame[i++] = 0; // reserved memcpy(&out_frame[i], contact.id.pub_key, 6); i += 6; // pub_key_prefix - memcpy(&out_frame[i], &data[4], len - 4); - i += (len - 4); + int copy_len = len - 4; + if (copy_len > MAX_FRAME_SIZE - i) copy_len = MAX_FRAME_SIZE - i; + memcpy(&out_frame[i], &data[4], copy_len); + i += copy_len; _serial->writeFrame(out_frame, i); } else if (len > 4 && tag == pending_req) { // check for matching response tag pending_req = 0; @@ -676,8 +680,10 @@ void MyMesh::onContactResponse(const ContactInfo &contact, const uint8_t *data, out_frame[i++] = 0; // reserved memcpy(&out_frame[i], &tag, 4); // app needs to match this to RESP_CODE_SENT.tag i += 4; - memcpy(&out_frame[i], &data[4], len - 4); - i += (len - 4); + int copy_len = len - 4; + if (copy_len > MAX_FRAME_SIZE - i) copy_len = MAX_FRAME_SIZE - i; + memcpy(&out_frame[i], &data[4], copy_len); + i += copy_len; _serial->writeFrame(out_frame, i); } }