From 15cc805c044f2d150e0ad222e2b66433c78e41d0 Mon Sep 17 00:00:00 2001
From: Wessel Nieboer <wessel@weebl.me>
Date: Wed, 11 Feb 2026 03:19:13 +0100
Subject: [PATCH] fix bounds check on PAYLOAD_TYPE_PATH decrypted data

The path_len field inside the decrypted PATH payload was used to advance
the parse cursor without validating it against the actual decrypted data
length. A malicious peer sharing a key could craft a PATH packet with an
oversized path_len, causing out-of-bounds reads past the decrypted buffer
when accessing the extra_type byte and extra data pointer.

Add a bounds check after reading path_len to ensure the decrypted buffer
contains enough bytes for the claimed path plus the mandatory extra_type
byte before dereferencing.
---
 src/Mesh.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Mesh.cpp b/src/Mesh.cpp
index 57fee140..afc46df1 100644
--- a/src/Mesh.cpp
+++ b/src/Mesh.cpp
@@ -155,6 +155,7 @@ DispatcherAction Mesh::onRecvPacket(Packet* pkt) {
                 uint8_t path_len = data[k++];
                 uint8_t hash_size = (path_len >> 6) + 1;
                 uint8_t hash_count = path_len & 63;
+                if (k + hash_size*hash_count + 1 > len) break;  // bounds check: need path bytes + extra_type byte
                 uint8_t* path = &data[k]; k += hash_size*hash_count;
                 uint8_t extra_type = data[k++] & 0x0F;   // upper 4 bits reserved for future use
                 uint8_t* extra = &data[k];