Validate path length against max path size

weebl2000 · weebl2000 · commit ce99d64a2ee8 · 2026-02-28T19:07:02.000+01:00
diff --git a/examples/simple_repeater/MyMesh.cpp b/examples/simple_repeater/MyMesh.cpp
@@ -151,6 +151,7 @@ uint8_t MyMesh::handleAnonRegionsReq(const mesh::Identity& sender, uint32_t send
     reply_path_hash_size = (*data >> 6) + 1;
     data++;
 
+    if (reply_path_len * reply_path_hash_size > MAX_PATH_SIZE) return 0;
     memcpy(reply_path, data, ((uint8_t)reply_path_len) * reply_path_hash_size);
     // data += (uint8_t)reply_path_len * reply_path_hash_size;
 
@@ -170,6 +171,7 @@ uint8_t MyMesh::handleAnonOwnerReq(const mesh::Identity& sender, uint32_t sender
     reply_path_hash_size = (*data >> 6) + 1;
     data++;
 
+    if (reply_path_len * reply_path_hash_size > MAX_PATH_SIZE) return 0;
     memcpy(reply_path, data, ((uint8_t)reply_path_len) * reply_path_hash_size);
     // data += (uint8_t)reply_path_len * reply_path_hash_size;
 
@@ -190,6 +192,7 @@ uint8_t MyMesh::handleAnonClockReq(const mesh::Identity& sender, uint32_t sender
     reply_path_hash_size = (*data >> 6) + 1;
     data++;
 
+    if (reply_path_len * reply_path_hash_size > MAX_PATH_SIZE) return 0;
     memcpy(reply_path, data, ((uint8_t)reply_path_len) * reply_path_hash_size);
     // data += (uint8_t)reply_path_len * reply_path_hash_size;
 
diff --git a/src/Packet.cpp b/src/Packet.cpp
@@ -22,15 +22,17 @@ size_t Packet::writePath(uint8_t* dest, const uint8_t* src, uint8_t path_len) {
   uint8_t hash_size = (path_len >> 6) + 1;
   size_t len = hash_count*hash_size;
   if (len > MAX_PATH_SIZE) {
-    MESH_DEBUG_PRINTLN("Packet::copyPath, invalid path_len=%d", (uint32_t)path_len);
+    MESH_DEBUG_PRINTLN("Packet::writePath, invalid path_len=%d", (uint32_t)path_len);
     return 0;   // Error
   }
   memcpy(dest, src, len);
   return len;
 }
 
 uint8_t Packet::copyPath(uint8_t* dest, const uint8_t* src, uint8_t path_len) {
-  writePath(dest, src, path_len);
+  if (writePath(dest, src, path_len) == 0 && (path_len & 63) != 0) {
+    return 0;   // Error: writePath failed for non-empty path
+  }
   return path_len;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -22,15 +22,17 @@ size_t Packet::writePath(uint8_t* dest, const uint8_t* src, uint8_t path_len) {`
`22`	`22`	`uint8_t hash_size = (path_len >> 6) + 1;`
`23`	`23`	`size_t len = hash_count*hash_size;`
`24`	`24`	`if (len > MAX_PATH_SIZE) {`
`25`		`- MESH_DEBUG_PRINTLN("Packet::copyPath, invalid path_len=%d", (uint32_t)path_len);`
	`25`	`+ MESH_DEBUG_PRINTLN("Packet::writePath, invalid path_len=%d", (uint32_t)path_len);`
`26`	`26`	`return 0; // Error`
`27`	`27`	`}`
`28`	`28`	`memcpy(dest, src, len);`
`29`	`29`	`return len;`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`uint8_t Packet::copyPath(uint8_t* dest, const uint8_t* src, uint8_t path_len) {`
`33`		`- writePath(dest, src, path_len);`
	`33`	`+ if (writePath(dest, src, path_len) == 0 && (path_len & 63) != 0) {`
	`34`	`+ return 0; // Error: writePath failed for non-empty path`
	`35`	`+ }`
`34`	`36`	`return path_len;`
`35`	`37`	`}`
`36`	`38`