Skip to content

Fix out-of-bounds read in TRACE packet hash matching#1655

Open
weebl2000 wants to merge 1 commit into
meshcore-dev:devfrom
weebl2000:fix/trace-oob-read
Open

Fix out-of-bounds read in TRACE packet hash matching#1655
weebl2000 wants to merge 1 commit into
meshcore-dev:devfrom
weebl2000:fix/trace-oob-read

Conversation

@weebl2000
Copy link
Copy Markdown
Contributor

@weebl2000 weebl2000 commented Feb 11, 2026
edited
Loading

Severity: Medium

Summary

The TRACE packet handler compares this node's identity hash against an entry in the payload to decide whether to forward the packet. The hash size is variable — 1, 2, 4, or 8 bytes depending on the path_sz field in the packet flags. The existing bounds check (offset >= len) only verifies that the start of the hash is within the payload, but doesn't account for the full hash length. When offset is close to the end of the payload, isHashMatch reads past the valid payload bytes.

Impact

The over-read stays within the payload[184] array in the Packet struct — it reads stale data from previous packets in the pool, not unmapped memory. This means it won't crash or hard-fault any node.

The practical effect is incorrect routing decisions for TRACE packets:

  • False negative (most likely): stale bytes don't match the node's pub_key prefix → packet silently dropped when it should have been forwarded → broken/unreliable path traces.
  • False positive (unlikely): stale bytes happen to match → packet forwarded when it shouldn't be.

Any node on the mesh can trigger this since TRACE packets are unauthenticated and direct-routed. A crafted packet with path_sz = 3 (8-byte hashes) and a payload length that leaves fewer than 8 bytes after the offset will hit this path.

Fix

Add a bounds check ensuring offset + hash_sz <= len before calling isHashMatch. Packets that don't have enough payload bytes for a full hash comparison are now silently dropped.

Test plan

  • Normal path traces still work (single-byte and multi-byte hash modes)
  • TRACE packets that reach end of path still handled correctly (offset >= len branch)
  • Build tested on Heltec_v3_companion_radio_ble

Build firmware: Build from this branch

@weebl2000 weebl2000 force-pushed the fix/trace-oob-read branch 2 times, most recently from 00e9749 to 8a461cf Compare February 26, 2026 22:16
@weebl2000 weebl2000 mentioned this pull request Feb 26, 2026
Closed
3 tasks
@weebl2000 weebl2000 force-pushed the fix/trace-oob-read branch 2 times, most recently from 1c05fbc to bf17df3 Compare March 3, 2026 14:43
@weebl2000 weebl2000 force-pushed the fix/trace-oob-read branch from bf17df3 to 558f8d9 Compare March 23, 2026 13:29
@weebl2000
fix out-of-bounds read in TRACE packet hash matching
0c27534 
The TRACE handler uses isHashMatch() to compare this node's hash against
an entry in the payload, but did not verify that enough bytes remain in
the payload for the full hash comparison. The hash size is variable
(1, 2, 4, or 8 bytes depending on path_sz), so when offset is close to
the end of the payload, isHashMatch reads past the buffer boundary.

Add a bounds check ensuring offset + hash_sz <= len before calling
isHashMatch, preventing the over-read.
@weebl2000 weebl2000 force-pushed the fix/trace-oob-read branch from 558f8d9 to 0c27534 Compare April 4, 2026 11:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@weebl2000