mirror
/
MeshCore
mirror of https://github.com/meshcore-dev/MeshCore
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Add minimum payload_len check for TRACE packet parsing 

The TRACE handler reads 9 bytes (trace_tag, auth_code, flags) from the
payload before any length validation. A short TRACE packet causes reads
of stale buffer data and an underflow in the remaining-length
calculation (uint8_t len = payload_len - 9 wraps to ~247).

Add payload_len >= 9 to the existing guard condition so undersized
TRACE packets are silently dropped.
pull/1663/head
Wessel Nieboer 4 months ago
parent
8c0d5c5b24
commit
4abc32577f
No known key found for this signature in database GPG Key ID: 929C8E45E33B5FD2
1 changed files with 1 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      src/Mesh.cpp

2
src/Mesh.cpp
View File

@ -40,7 +40,7 @@ int Mesh::searchChannelsByHash(const uint8_t* hash, GroupChannel channels[], int
DispatcherAction Mesh::onRecvPacket(Packet* pkt) {
if (pkt->isRouteDirect() && pkt->getPayloadType() == PAYLOAD_TYPE_TRACE) {
if (pkt->path_len < MAX_PATH_SIZE) {
if (pkt->path_len < MAX_PATH_SIZE && pkt->payload_len >= 9) { // need trace_tag(4) + auth_code(4) + flags(1)
uint8_t i = 0;
uint32_t trace_tag;
memcpy(&trace_tag, &pkt->payload[i], 4); i += 4;

Write Preview
Loading…
Cancel
Save