From 4abc32577f4044039c65a2b4d8463eed06b71b51 Mon Sep 17 00:00:00 2001
From: Wessel Nieboer <wessel@weebl.me>
Date: Wed, 11 Feb 2026 04:33:48 +0100
Subject: [PATCH] Add minimum payload_len check for TRACE packet parsing

The TRACE handler reads 9 bytes (trace_tag, auth_code, flags) from the
payload before any length validation. A short TRACE packet causes reads
of stale buffer data and an underflow in the remaining-length
calculation (uint8_t len = payload_len - 9 wraps to ~247).

Add payload_len >= 9 to the existing guard condition so undersized
TRACE packets are silently dropped.
---
 src/Mesh.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Mesh.cpp b/src/Mesh.cpp
index 7252974a9..098d912db 100644
--- a/src/Mesh.cpp
+++ b/src/Mesh.cpp
@@ -40,7 +40,7 @@ int Mesh::searchChannelsByHash(const uint8_t* hash, GroupChannel channels[], int
 
 DispatcherAction Mesh::onRecvPacket(Packet* pkt) {
   if (pkt->isRouteDirect() && pkt->getPayloadType() == PAYLOAD_TYPE_TRACE) {
-    if (pkt->path_len < MAX_PATH_SIZE) {
+    if (pkt->path_len < MAX_PATH_SIZE && pkt->payload_len >= 9) {  // need trace_tag(4) + auth_code(4) + flags(1)
       uint8_t i = 0;
       uint32_t trace_tag;
       memcpy(&trace_tag, &pkt->payload[i], 4); i += 4;