From 6df7151f634df16aa258402a22eab625d9a9f89c Mon Sep 17 00:00:00 2001
From: Robert Ekl <ekl.rob@gmail.com>
Date: Tue, 24 Feb 2026 00:08:37 -0600
Subject: [PATCH] fix(staticpool): guard outbound queue index access

Return null for out-of-range PacketQueue::itemAt() indexes instead of indexing raw storage directly.

Prevents out-of-bounds reads when callers probe outbound entries beyond the current queue length.
---
 src/helpers/StaticPoolPacketManager.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/helpers/StaticPoolPacketManager.h b/src/helpers/StaticPoolPacketManager.h
index 52c299dbc..f71cdba0e 100644
--- a/src/helpers/StaticPoolPacketManager.h
+++ b/src/helpers/StaticPoolPacketManager.h
@@ -14,7 +14,7 @@ class PacketQueue {
   bool add(mesh::Packet* packet, uint8_t priority, uint32_t scheduled_for);
   int count() const { return _num; }
   int countBefore(uint32_t now) const;
-  mesh::Packet* itemAt(int i) const { return _table[i]; }
+  mesh::Packet* itemAt(int i) const { return (i >= 0 && i < _num) ? _table[i] : NULL; }
   mesh::Packet* removeByIdx(int i);
 };
 
@@ -34,4 +34,4 @@ class StaticPoolPacketManager : public mesh::PacketManager {
   mesh::Packet* removeOutboundByIdx(int i) override;
   void queueInbound(mesh::Packet* packet, uint32_t scheduled_for) override;
   mesh::Packet* getNextInbound(uint32_t now) override;
-};
\ No newline at end of file
+};