mirror
/
MeshCore
mirror of https://github.com/meshcore-dev/MeshCore
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix bounds check on PAYLOAD_TYPE_PATH decrypted data 

The path_len field inside the decrypted PATH payload was used to advance
the parse cursor without validating it against the actual decrypted data
length. A malicious peer sharing a key could craft a PATH packet with an
oversized path_len, causing out-of-bounds reads past the decrypted buffer
when accessing the extra_type byte and extra data pointer.

Add a bounds check after reading path_len to ensure the decrypted buffer
contains enough bytes for the claimed path plus the mandatory extra_type
byte before dereferencing.
pull/1654/head
Wessel Nieboer 4 months ago
parent
8c0d5c5b24
commit
d9a698b0a0
No known key found for this signature in database GPG Key ID: 929C8E45E33B5FD2
1 changed files with 1 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      src/Mesh.cpp

1
src/Mesh.cpp
View File

@ -155,6 +155,7 @@ DispatcherAction Mesh::onRecvPacket(Packet* pkt) {
uint8_t path_len = data[k++];
uint8_t hash_size = (path_len >> 6) + 1;
uint8_t hash_count = path_len & 63;
if (k + hash_size*hash_count + 1 > len) break; // bounds check: need path bytes + extra_type byte
uint8_t* path = &data[k]; k += hash_size*hash_count;
uint8_t extra_type = data[k++] & 0x0F; // upper 4 bits reserved for future use
uint8_t* extra = &data[k];

Write Preview
Loading…
Cancel
Save