Validate buffer length before reading fields in Packet::readFrom

readFrom reads the header byte, transport codes (4 bytes), and path_len from the source buffer before any length validation. With a short input, these reads go past the end of the buffer. Add upfront length checks: minimum 2 bytes overall, transport codes require 4 additional bytes, and path must fit before the remaining payload.
4 months ago · b6256e2150
1 changed files with 3 additions and 2 deletions
--- a/src/Packet.cpp
+++ b/src/Packet.cpp
@ -63,9 +63,11 @@ uint8_t Packet::writeTo(uint8_t dest[]) const {
 }

 bool Packet::readFrom(const uint8_t src[], uint8_t len) {
+  if (len < 2) return false;  // minimum: header + path_len
  uint8_t i = 0;
  header = src[i++];
  if (hasTransportCodes()) {
+    if (i + 4 >= len) return false;  // need 4 bytes for transport codes + path_len after
    memcpy(&transport_codes[0], &src[i], 2); i += 2;
    memcpy(&transport_codes[1], &src[i], 2); i += 2;
  } else {
@ -75,9 +77,8 @@ bool Packet::readFrom(const uint8_t src[], uint8_t len) {
  if (!isValidPathLen(path_len)) return false;   // bad encoding

  uint8_t bl = getPathByteLen();
+  if (i + bl >= len) return false;  // path + at least 1 byte payload must fit
  memcpy(path, &src[i], bl); i += bl;
-
-  if (i >= len) return false;   // bad encoding
  payload_len = len - i;
  if (payload_len > sizeof(payload)) return false;  // bad encoding
  memcpy(payload, &src[i], payload_len); //i += payload_len;