meshcore-dev/MeshCore
1
0
Fork 0
mirror of https://github.com/meshcore-dev/MeshCore.git synced 2026-04-20 22:13:47 +00:00
Code Issues Projects Releases Packages Wiki Activity

fix bounds check on PAYLOAD_TYPE_PATH decrypted data

Browse source 
The path_len field inside the decrypted PATH payload was used to advance
the parse cursor without validating it against the actual decrypted data
length. A malicious peer sharing a key could craft a PATH packet with an
oversized path_len, causing out-of-bounds reads past the decrypted buffer
when accessing the extra_type byte and extra data pointer.

Add a bounds check after reading path_len to ensure the decrypted buffer
contains enough bytes for the claimed path plus the mandatory extra_type
byte before dereferencing.
This commit is contained in:
Wessel Nieboer 2026-02-11 03:19:13 +01:00 committed by Wessel Nieboer
parent fb726e48c2
commit 15cc805c04
No known key found for this signature in database
GPG key ID: 27BB1C3D63DEEFFF
1 changed files with 1 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
src/Mesh.cpp
View file

@ -155,6 +155,7 @@ DispatcherAction Mesh::onRecvPacket(Packet* pkt) {
uint8_t path_len = data[k++];
uint8_t hash_size = (path_len >> 6) + 1;
uint8_t hash_count = path_len & 63;
if (k + hash_size*hash_count + 1 > len) break; // bounds check: need path bytes + extra_type byte
uint8_t* path = &data[k]; k += hash_size*hash_count;
uint8_t extra_type = data[k++] & 0x0F; // upper 4 bits reserved for future use
uint8_t* extra = &data[k];