Fix out_frame buffer overflow in companion radio response handlers#1659
Open
weebl2000 wants to merge 1 commit intomeshcore-dev:devfrom
Open
Fix out_frame buffer overflow in companion radio response handlers#1659weebl2000 wants to merge 1 commit intomeshcore-dev:devfrom
weebl2000 wants to merge 1 commit intomeshcore-dev:devfrom
Conversation
The onContactResponse handler copies peer response data into out_frame (MAX_FRAME_SIZE + 1 bytes) without checking whether the data fits. A peer response with len close to MAX_PACKET_PAYLOAD (184) writes up to 188 bytes into the 173-byte buffer, overflowing by 15 bytes. This affects the status response, telemetry response, and binary response code paths. A malicious peer can trigger the overflow by sending a large response payload, corrupting the stack. Cap each memcpy to the remaining space in out_frame before copying.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Severity: High
Summary
The
onContactResponsehandler in the companion radio firmware copies peer response data intoout_framewithout checking whether the data fits. Theout_framebuffer isMAX_FRAME_SIZE + 1(173 bytes), but peer responses can be up toMAX_PACKET_PAYLOAD(184 bytes).Three code paths are affected — status response, telemetry response, and binary response. Each writes a small header (6-8 bytes) then copies
len - 4bytes of response data. Whenlenis close to 184, the total write reaches 188 bytes, overflowing the buffer by 15 bytes.How this can be exploited
A malicious peer that you've logged into (repeater, room server) can send an oversized status or telemetry response. The companion radio node receives and decrypts it successfully (the peer has a valid shared secret), then copies the response into the undersized
out_framebuffer on the stack.This corrupts adjacent stack variables and the return address. On ESP32, this causes a crash/reboot at minimum, and could potentially be leveraged for code execution. An attacker could use this to:
Users would see their device crash or reboot every time it connects to a specific repeater or room server.
Fix
Cap the memcpy length to the remaining space in
out_framebefore copying, in all three affected code paths. Oversized responses are truncated rather than overflowing.Test plan
Heltec_v3_companion_radio_ble