From f697c1de8cc622308f0b93efc4b1bcd443e01696 Mon Sep 17 00:00:00 2001
From: Ember <BeigeBox@users.noreply.github.com>
Date: Sat, 4 Apr 2026 16:49:19 -0700
Subject: [PATCH] Fix heap buffer overflow on DMRG/DMRA packets

Incoming DMRG and DMRA packets were copied into 50-byte buffers
without checking the packet length. UDP reads can return up to 500
bytes, overflowing the heap allocation. Drop oversized packets.
---
 MMDVMNetwork.cpp | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/MMDVMNetwork.cpp b/MMDVMNetwork.cpp
index e0e0d4e..26ee39d 100644
--- a/MMDVMNetwork.cpp
+++ b/MMDVMNetwork.cpp
@@ -276,11 +276,15 @@ void CMMDVMNetwork::clock(unsigned int ms)
 		m_rxData.addData(&len, 1U);
 		m_rxData.addData(m_buffer, len);
 	} else if (::memcmp(m_buffer, "DMRG", 4U) == 0) {
-		::memcpy(m_radioPositionData, m_buffer, length);
-		m_radioPositionLen = length;
+		if (length <= 50U) {
+			::memcpy(m_radioPositionData, m_buffer, length);
+			m_radioPositionLen = length;
+		}
 	} else if (::memcmp(m_buffer, "DMRA", 4U) == 0) {
-		::memcpy(m_talkerAliasData, m_buffer, length);
-		m_talkerAliasLen = length;
+		if (length <= 50U) {
+			::memcpy(m_talkerAliasData, m_buffer, length);
+			m_talkerAliasLen = length;
+		}
 	} else if (::memcmp(m_buffer, "DMRC", 4U) == 0) {
 		m_id = (m_buffer[4U] << 24) | (m_buffer[5U] << 16) | (m_buffer[6U] << 8) | (m_buffer[7U] << 0);