Fix out-of-bounds read in PATH payload parsing #1654
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The path_len field inside the decrypted PATH payload was used to advance the parse cursor without validating it against the actual decrypted data length. A malicious peer sharing a key could craft a PATH packet with an oversized path_len, causing out-of-bounds reads past the decrypted buffer when accessing the extra_type byte and extra data pointer. Add a bounds check after reading path_len to ensure the decrypted buffer contains enough bytes for the claimed path plus the mandatory extra_type byte before dereferencing.
weebl2000
force-pushed
the
fix/path-payload-bounds-check
branch
from
19fe548 to
24c4e0b
Compare
ripplebiz
reviewed
Feb 11, 2026
Log path_len and len when the bounds check fails, making it easier to diagnose malformed or corrupt packets during development.
3 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Severity: Critical
Summary
When a node receives a PATH packet from a known contact, it decrypts the payload and parses a
path_lenfield to find the route data inside. The problem is thatpath_lencomes from the decrypted data itself, and nothing checks whether it's actually valid before using it to walk through the buffer.A compromised or malicious contact can send a PATH packet where
path_lenclaims to be much larger than the actual payload. The parser blindly advances past the end of the decrypted buffer and reads whatever happens to be in memory after it — stack variables, other packet data, etc. Depending on whatonPeerPathRecvdoes with the resulting garbage pointers, this could crash the node or leak memory contents back to the attacker in a response.Who can exploit this: any peer in your contacts list (they need a shared key for the MAC/decryption to pass).
What it takes: a single crafted PATH packet over RF.
What users might see
Even without a deliberate attack, this can be triggered by corrupted packets that happen to decrypt successfully (unlikely but possible with the 2-byte MAC). In practice, affected nodes could experience:
onPeerPathRecvstores a nonsense path for a contact, so subsequent direct messages to that peer get sent into the void until the next successful path exchange overwrites itMost of these would look like "flaky mesh" rather than a security issue, which is part of what makes it worth fixing.
Fix
One bounds check after reading
path_len— verify the buffer actually has room for the claimed path plus the extra_type byte before touching any of it. If not, drop the packet silently, same as a failed decryption.Test plan
Heltec_v3_companion_radio_ble