From 9ed622f594a9d81260cadc37b7647f21bd683f1b Mon Sep 17 00:00:00 2001
From: Wessel Nieboer <wessel@weebl.me>
Date: Wed, 11 Feb 2026 03:38:50 +0100
Subject: [PATCH] tighten TRACE path_len guard to account for SNR append

The TRACE forwarding path appends an SNR byte to pkt->path via
path_len++, but the guard only checked path_len < MAX_PATH_SIZE.
When path_len entered as MAX_PATH_SIZE - 1, the write was in-bounds
but left path_len equal to MAX_PATH_SIZE, which could cause off-by-one
issues in downstream code that uses path_len as an index.

Change the guard to path_len + 1 < MAX_PATH_SIZE so there is always
room for the append without path_len reaching MAX_PATH_SIZE.
---
 src/Mesh.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Mesh.cpp b/src/Mesh.cpp
index 0548c9073..d8a83fb73 100644
--- a/src/Mesh.cpp
+++ b/src/Mesh.cpp
@@ -45,7 +45,7 @@ DispatcherAction Mesh::onRecvPacket(Packet* pkt) {
   }
 
   if (pkt->isRouteDirect() && pkt->getPayloadType() == PAYLOAD_TYPE_TRACE) {
-    if (pkt->path_len < MAX_PATH_SIZE) {
+    if (pkt->path_len + 1 < MAX_PATH_SIZE) {
       uint8_t i = 0;
       uint32_t trace_tag;
       memcpy(&trace_tag, &pkt->payload[i], 4); i += 4;