Validate decrypted PATH path_len against MAX_PATH_SIZE#1662
Open
weebl2000 wants to merge 1 commit intomeshcore-dev:devfrom
Open
Validate decrypted PATH path_len against MAX_PATH_SIZE#1662weebl2000 wants to merge 1 commit intomeshcore-dev:devfrom
weebl2000 wants to merge 1 commit intomeshcore-dev:devfrom
Conversation
weebl2000
force-pushed
the
fix/path-len-max-size
branch
from
f39705e to
5e59b41
Compare
The path_len field inside decrypted PATH payloads was validated against the decrypted buffer size but not against MAX_PATH_SIZE (64). A malicious contact could send a PATH packet with path_len up to 178, overflowing out_path[64] in onPeerPathRecv and packet->path[64] in sendDirect. Add a MAX_PATH_SIZE check after parsing path_len from the decrypted PATH payload. Also add defensive bounds checks in sendDirect for both the TRACE payload-append path and the normal path-copy path.
weebl2000
force-pushed
the
fix/path-len-max-size
branch
from
5e59b41 to
914b024
Compare
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Severity: Critical
Summary
The
path_lenfield inside decrypted PATH payloads is validated against the decrypted buffer size (by #1654) but not againstMAX_PATH_SIZE(64). A malicious contact can send a PATH packet where the innerpath_lenis up to 178, which passes the buffer bounds check but then overflows two 64-byte arrays:client->out_path[64]— in allonPeerPathRecvimplementations (repeater, room server, sensor, BaseChatMesh), the path is copied viamemcpy(client->out_path, path, client->out_path_len = path_len). Withpath_len > 64, this overwrites adjacent struct members (shared_secret, permissions, timestamps).packet->path[64]— insendDirect, the non-TRACE branch doesmemcpy(packet->path, path, packet->path_len = path_len)without checking againstMAX_PATH_SIZE.The TRACE branch of
sendDirectalso appends path data to the payload without checkingpayload_len + path_len <= MAX_PACKET_PAYLOAD.Who can exploit this: any peer in your contacts list (they need a shared key for the MAC/decryption to pass).
What it takes: a single crafted PATH packet over RF.
What users might see
A malicious contact could crash/reboot your node, corrupt routing state for other contacts, or potentially escalate privileges by overwriting the
permissionsfield of adjacent ACL entries.Fix
path_len > MAX_PATH_SIZEcheck after parsingpath_lenfrom the decrypted PATH payload, before any usesendDirectfor both the TRACE payload-append path and the normal path-copy path, freeing the packet on overflowTest plan
Heltec_v3_companion_radio_bleBuild firmware: Build from this branch