From f19a8259c08c63f1fc7b78598d3585d67885da8a Mon Sep 17 00:00:00 2001
From: Wessel Nieboer <wessel@weebl.me>
Date: Wed, 11 Feb 2026 03:19:13 +0100
Subject: [PATCH 1/2] fix bounds check on PAYLOAD_TYPE_PATH decrypted data

The path_len field inside the decrypted PATH payload was used to advance
the parse cursor without validating it against the actual decrypted data
length. A malicious peer sharing a key could craft a PATH packet with an
oversized path_len, causing out-of-bounds reads past the decrypted buffer
when accessing the extra_type byte and extra data pointer.

Add a bounds check after reading path_len to ensure the decrypted buffer
contains enough bytes for the claimed path plus the mandatory extra_type
byte before dereferencing.
---
 src/Mesh.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Mesh.cpp b/src/Mesh.cpp
index 57fee1403..afc46df11 100644
--- a/src/Mesh.cpp
+++ b/src/Mesh.cpp
@@ -155,6 +155,7 @@ DispatcherAction Mesh::onRecvPacket(Packet* pkt) {
                 uint8_t path_len = data[k++];
                 uint8_t hash_size = (path_len >> 6) + 1;
                 uint8_t hash_count = path_len & 63;
+                if (k + hash_size*hash_count + 1 > len) break;  // bounds check: need path bytes + extra_type byte
                 uint8_t* path = &data[k]; k += hash_size*hash_count;
                 uint8_t extra_type = data[k++] & 0x0F;   // upper 4 bits reserved for future use
                 uint8_t* extra = &data[k];

From b436192c3f9ddfb5a0443a9b19bf712f85d2011c Mon Sep 17 00:00:00 2001
From: Wessel Nieboer <wessel@weebl.me>
Date: Wed, 11 Feb 2026 03:41:16 +0100
Subject: [PATCH 2/2] add debug log for malformed PATH payload

Log path_len and len when the bounds check fails, making it easier to
diagnose malformed or corrupt packets during development.
---
 src/Mesh.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Mesh.cpp b/src/Mesh.cpp
index afc46df11..4dd4bc6d3 100644
--- a/src/Mesh.cpp
+++ b/src/Mesh.cpp
@@ -155,7 +155,10 @@ DispatcherAction Mesh::onRecvPacket(Packet* pkt) {
                 uint8_t path_len = data[k++];
                 uint8_t hash_size = (path_len >> 6) + 1;
                 uint8_t hash_count = path_len & 63;
-                if (k + hash_size*hash_count + 1 > len) break;  // bounds check: need path bytes + extra_type byte
+                if (k + hash_size*hash_count + 1 > len) {  // bounds check: need path bytes + extra_type byte
+                  MESH_DEBUG_PRINTLN("%s Mesh::onRecvPacket(): bad PATH payload format, path_len=%d len=%d", getLogDateTime(), (int)path_len, (int)len);
+                  break;
+                }
                 uint8_t* path = &data[k]; k += hash_size*hash_count;
                 uint8_t extra_type = data[k++] & 0x0F;   // upper 4 bits reserved for future use
                 uint8_t* extra = &data[k];