Skip to content

Validate buffer length before reading fields in Packet::readFrom #1666

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
weebl2000 wants to merge 2 commits into
base: dev
Choose a base branch
from
Open

Validate buffer length before reading fields in Packet::readFrom #1666

weebl2000 wants to merge 2 commits into from

Conversation

@weebl2000
Copy link
Contributor

@weebl2000 weebl2000 commented Feb 11, 2026

Severity: Low

Summary

Packet::readFrom reads the header byte, transport codes (4 bytes if present), and path_len from the source buffer before performing any length validation. With a short input (e.g. len = 0), these reads go past the end of the source buffer.

Unlike the main radio receive path (which parses packets inline in Dispatcher::checkRecv with proper bounds checking), readFrom is used by bridge interfaces (RS232, ESP-NOW) and importContact (flash blob storage). A corrupted blob or malformed bridge frame could trigger the over-read.

Fix

Add upfront length checks:

  • Minimum 2 bytes overall (header + path_len)
  • Transport codes require 4 additional bytes
  • Path bytes plus at least 1 byte of payload must fit before proceeding

Test plan

  • Bridge packet reception still works (RS232, ESP-NOW)
  • Contact import/export still works
  • Short/corrupt inputs return false without reading past the buffer
  • Build tested on Heltec_v3_companion_radio_ble

@weebl2000
Validate buffer length before reading fields in Packet::readFrom
d10fcd4 
readFrom reads the header byte, transport codes (4 bytes), and
path_len from the source buffer before any length validation. With a
short input, these reads go past the end of the buffer.

Add upfront length checks: minimum 2 bytes overall, transport codes
require 4 additional bytes, and path must fit before the remaining
payload.
@weebl2000
Clarify bounds check comment in Packet::readFrom
ef97fe2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@weebl2000