From 24c4e0b1b880697f74a4ef152d68ecf57babc215 Mon Sep 17 00:00:00 2001
From: Wessel Nieboer <wessel@weebl.me>
Date: Wed, 11 Feb 2026 03:19:13 +0100
Subject: [PATCH 1/2] fix bounds check on PAYLOAD_TYPE_PATH decrypted data

The path_len field inside the decrypted PATH payload was used to advance
the parse cursor without validating it against the actual decrypted data
length. A malicious peer sharing a key could craft a PATH packet with an
oversized path_len, causing out-of-bounds reads past the decrypted buffer
when accessing the extra_type byte and extra data pointer.

Add a bounds check after reading path_len to ensure the decrypted buffer
contains enough bytes for the claimed path plus the mandatory extra_type
byte before dereferencing.
---
 src/Mesh.cpp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/Mesh.cpp b/src/Mesh.cpp
index 0548c9073..9329042f6 100644
--- a/src/Mesh.cpp
+++ b/src/Mesh.cpp
@@ -158,6 +158,7 @@ DispatcherAction Mesh::onRecvPacket(Packet* pkt) {
               if (pkt->getPayloadType() == PAYLOAD_TYPE_PATH) {
                 int k = 0;
                 uint8_t path_len = data[k++];
+                if (k + path_len + 1 > len) break;  // bounds check: need path_len bytes + extra_type byte
                 uint8_t* path = &data[k]; k += path_len;
                 uint8_t extra_type = data[k++] & 0x0F;   // upper 4 bits reserved for future use
                 uint8_t* extra = &data[k];

From 244db70c4b92d9a6ac9809a5eafc351ad9e8ea8e Mon Sep 17 00:00:00 2001
From: Wessel Nieboer <wessel@weebl.me>
Date: Wed, 11 Feb 2026 03:41:16 +0100
Subject: [PATCH 2/2] add debug log for malformed PATH payload

Log path_len and len when the bounds check fails, making it easier to
diagnose malformed or corrupt packets during development.
---
 src/Mesh.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/Mesh.cpp b/src/Mesh.cpp
index 9329042f6..2b1b3e2c8 100644
--- a/src/Mesh.cpp
+++ b/src/Mesh.cpp
@@ -158,7 +158,10 @@ DispatcherAction Mesh::onRecvPacket(Packet* pkt) {
               if (pkt->getPayloadType() == PAYLOAD_TYPE_PATH) {
                 int k = 0;
                 uint8_t path_len = data[k++];
-                if (k + path_len + 1 > len) break;  // bounds check: need path_len bytes + extra_type byte
+                if (k + path_len + 1 > len) {  // bounds check: need path_len bytes + extra_type byte
+                  MESH_DEBUG_PRINTLN("%s Mesh::onRecvPacket(): bad PATH payload format, path_len=%d len=%d", getLogDateTime(), (int)path_len, (int)len);
+                  break;
+                }
                 uint8_t* path = &data[k]; k += path_len;
                 uint8_t extra_type = data[k++] & 0x0F;   // upper 4 bits reserved for future use
                 uint8_t* extra = &data[k];