mirror
/
MeshCore
mirror of https://github.com/meshcore-dev/MeshCore
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Validate PATH path_len against MAX_PATH_SIZE before use 

The path_len field inside decrypted PATH payloads was validated against
the decrypted buffer size but not against MAX_PATH_SIZE (64). A malicious
contact could send a PATH packet with path_len up to 178, overflowing
out_path[64] in onPeerPathRecv and packet->path[64] in sendDirect.

Add a MAX_PATH_SIZE check after parsing path_len from the decrypted
PATH payload. Also add defensive bounds checks in sendDirect for both
the TRACE payload-append path and the normal path-copy path.
pull/1662/head
Wessel Nieboer 4 months ago
parent
8c0d5c5b24
commit
03c845d174
No known key found for this signature in database GPG Key ID: 929C8E45E33B5FD2
1 changed files with 12 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 12
      src/Mesh.cpp

12
src/Mesh.cpp
View File

@ -155,6 +155,10 @@ DispatcherAction Mesh::onRecvPacket(Packet* pkt) {
uint8_t path_len = data[k++];
uint8_t hash_size = (path_len >> 6) + 1;
uint8_t hash_count = path_len & 63;
if (hash_size*hash_count > MAX_PATH_SIZE) {
MESH_DEBUG_PRINTLN("%s Mesh::onRecvPacket(): bad PATH path_len=%d exceeds MAX_PATH_SIZE", getLogDateTime(), (int)path_len);
break;
}
uint8_t* path = &data[k]; k += hash_size*hash_count;
uint8_t extra_type = data[k++] & 0x0F; // upper 4 bits reserved for future use
uint8_t* extra = &data[k];
@ -680,12 +684,20 @@ void Mesh::sendDirect(Packet* packet, const uint8_t* path, uint8_t path_len, uin
uint8_t pri;
if (packet->getPayloadType() == PAYLOAD_TYPE_TRACE) { // TRACE packets are different
// for TRACE packets, path is appended to end of PAYLOAD. (path is used for SNR's)
if (packet->payload_len + path_len > sizeof(packet->payload)) {
_mgr->free(packet);
return;
}
memcpy(&packet->payload[packet->payload_len], path, path_len); // NOTE: path_len here can be > 64, and NOT in the new scheme
packet->payload_len += path_len;
packet->path_len = 0;
pri = 5; // maybe make this configurable
} else {
if (path_len > MAX_PATH_SIZE) {
_mgr->free(packet);
return;
}
packet->path_len = Packet::copyPath(packet->path, path, path_len);
if (packet->getPayloadType() == PAYLOAD_TYPE_PATH) {
pri = 1; // slightly less priority

Write Preview
Loading…
Cancel
Save