fix out-of-bounds read in TRACE packet hash matching

weebl2000 · weebl2000 · commit 8a461cfc77c4 · 2026-02-26T23:16:28.000+01:00
The TRACE handler uses isHashMatch() to compare this node's hash against
an entry in the payload, but did not verify that enough bytes remain in
the payload for the full hash comparison. The hash size is variable
(1, 2, 4, or 8 bytes depending on path_sz), so when offset is close to
the end of the payload, isHashMatch reads past the buffer boundary.

Add a bounds check ensuring offset + hash_sz &lt;= len before calling
isHashMatch, preventing the over-read.
diff --git a/src/Mesh.cpp b/src/Mesh.cpp
@@ -51,9 +51,10 @@ DispatcherAction Mesh::onRecvPacket(Packet* pkt) {
 
       uint8_t len = pkt->payload_len - i;
       uint8_t offset = pkt->path_len << path_sz;
+      uint8_t hash_sz = 1 << path_sz;
       if (offset >= len) {   // TRACE has reached end of given path
         onTraceRecv(pkt, trace_tag, auth_code, flags, pkt->path, &pkt->payload[i], len);
-      } else if (self_id.isHashMatch(&pkt->payload[i + offset], 1 << path_sz) && allowPacketForward(pkt) && !_tables->hasSeen(pkt)) {
+      } else if (offset + hash_sz <= len && self_id.isHashMatch(&pkt->payload[i + offset], hash_sz) && allowPacketForward(pkt) && !_tables->hasSeen(pkt)) {
         // append SNR (Not hash!)
         pkt->path[pkt->path_len++] = (int8_t) (pkt->getSNR()*4);
 
