From 72c2c54850abde7283e694dd7e9b7ff1c2b5585b Mon Sep 17 00:00:00 2001 From: Wessel Nieboer Date: Wed, 11 Feb 2026 04:18:18 +0100 Subject: [PATCH] validate advert payload length before parsing The ADVERT handler copied pub_key, timestamp, and signature from the payload before checking whether payload_len was large enough to contain them. With a short payload, the memcpy operations read uninitialized data from within the payload buffer. Move the bounds check before any parsing so undersized adverts are rejected immediately. The minimum required is PUB_KEY_SIZE + 4 + SIGNATURE_SIZE (100 bytes). --- src/Mesh.cpp | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/Mesh.cpp b/src/Mesh.cpp index 57fee1403..63c7c1e11 100644 --- a/src/Mesh.cpp +++ b/src/Mesh.cpp @@ -238,6 +238,12 @@ DispatcherAction Mesh::onRecvPacket(Packet* pkt) { } case PAYLOAD_TYPE_ADVERT: { int i = 0; + int min_advert_len = PUB_KEY_SIZE + 4 + SIGNATURE_SIZE; + if (pkt->payload_len < min_advert_len) { + MESH_DEBUG_PRINTLN("%s Mesh::onRecvPacket(): incomplete advertisement packet, payload_len=%d", getLogDateTime(), (int)pkt->payload_len); + break; + } + Identity id; memcpy(id.pub_key, &pkt->payload[i], PUB_KEY_SIZE); i += PUB_KEY_SIZE; @@ -245,9 +251,7 @@ DispatcherAction Mesh::onRecvPacket(Packet* pkt) { memcpy(×tamp, &pkt->payload[i], 4); i += 4; const uint8_t* signature = &pkt->payload[i]; i += SIGNATURE_SIZE; - if (i > pkt->payload_len) { - MESH_DEBUG_PRINTLN("%s Mesh::onRecvPacket(): incomplete advertisement packet", getLogDateTime()); - } else if (self_id.matches(id.pub_key)) { + if (self_id.matches(id.pub_key)) { MESH_DEBUG_PRINTLN("%s Mesh::onRecvPacket(): receiving SELF advert packet", getLogDateTime()); } else if (!_tables->hasSeen(pkt)) { uint8_t* app_data = &pkt->payload[i];