Merge branch 'fix/oob_overflow' into 'master'

lhespress · lhespress · commit 3e3b346b0bb9 · 2026-02-02T10:07:13.000+08:00
fix(espnow): Fix where attacker-controlled `espnow_data-&gt;size` is validated...

See merge request ae_group/esp-now!153
diff --git a/src/espnow/src/espnow.c b/src/espnow/src/espnow.c
@@ -190,13 +190,19 @@ void espnow_recv_cb(const uint8_t *addr, const uint8_t *data, int size)
     rx_ctrl = &promiscuous_pkt->rx_ctrl;
 #endif
 
+    /**< Validate actual packet length before reading any header fields (CWE-125, CWE-20) */
+    if (size < (int)sizeof(espnow_data_t)) {
+        ESP_LOGD(TAG, "Receive cb args error: packet too short (size %d < %d)", size, (int)sizeof(espnow_data_t));
+        return;
+    }
+
     ESP_LOG_BUFFER_HEXDUMP(TAG, data, size, ESP_LOG_DEBUG);
     ESP_LOGD(TAG, "[%s, %d], " MACSTR ", rssi: %d, size: %d, total: %d - %d, type: %d, addr: %02x, g_msg_magic_cache_next: %d",
              __func__, __LINE__, MAC2STR(addr), rx_ctrl->rssi, size, espnow_data->size, sizeof(espnow_data_t), espnow_data->type, addr[5], g_msg_magic_cache_next);
 
     /**< Filter ESP-NOW packets not generated by this project */
     if (espnow_data->version != ESPNOW_VERSION || (espnow_data->type >= ESPNOW_DATA_TYPE_MAX)
-            || size != espnow_data->size + sizeof(espnow_data_t)
+            || size != (int)(sizeof(espnow_data_t) + espnow_data->size)
             || ESPNOW_ADDR_IS_SELF(espnow_data->src_addr)) {
         ESP_LOGD(TAG, "Receive cb args error, recv_addr: "MACSTR", src_addr: " MACSTR ", data: %p, size: %d",
                  MAC2STR(addr), MAC2STR(espnow_data->src_addr), data, size);
@@ -309,6 +315,11 @@ void espnow_recv_cb(const uint8_t *addr, const uint8_t *data, int size)
 
         goto EXIT;
     } else if (espnow_data->type == ESPNOW_DATA_TYPE_GROUP) {
+        if (size < (int)(sizeof(espnow_data_t) + sizeof(espnow_group_info_t))) {
+            ESP_LOGD(TAG, "[%s, %d] GROUP packet too short for group_info (size %d)", __func__, __LINE__, size);
+            return;
+        }
+
         espnow_group_info_t *group_info = (espnow_group_info_t *) espnow_data->payload;
         bool set_group_flag = false;
 
@@ -320,6 +331,11 @@ void espnow_recv_cb(const uint8_t *addr, const uint8_t *data, int size)
         if (group_info->addrs_num == 1 && ESPNOW_ADDR_IS_BROADCAST(group_info->addrs_list[0])) {
             set_group_flag = true;
         } else {
+            if (size < (int)(sizeof(espnow_data_t) + sizeof(espnow_group_info_t) + group_info->addrs_num * ESPNOW_ADDR_LEN)) {
+                ESP_LOGD(TAG, "[%s, %d] GROUP packet too short for addrs_list (size %d, addrs_num %d)", __func__, __LINE__, size, group_info->addrs_num);
+                return;
+            }
+
             if (espnow_data->size < (sizeof(espnow_group_info_t) + group_info->addrs_num * ESPNOW_ADDR_LEN)) {
                 ESP_LOGD(TAG, "[%s, %d] The size %d of the data must match with total size for addrs_num: %d", __func__, __LINE__, espnow_data->size, group_info->addrs_num);
                 return;
