Bounds-check reply_path in anonymous request handlers#1664
Open
weebl2000 wants to merge 1 commit intomeshcore-dev:devfrom
Open
Bounds-check reply_path in anonymous request handlers#1664weebl2000 wants to merge 1 commit intomeshcore-dev:devfrom
weebl2000 wants to merge 1 commit intomeshcore-dev:devfrom
Conversation
The handleAnon*Req functions read a reply_path_len byte from the decrypted data and memcpy that many bytes into reply_path, without checking that the data buffer actually contains that many bytes. With a minimal-length packet, this reads up to 63 bytes of uninitialized stack memory. Add a data_len parameter to all three handlers and validate that the buffer contains enough bytes for the claimed reply_path_len before copying. Also guard the callers to ensure len > 5 before passing &data[5].
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Severity: Medium
Summary
The
handleAnonRegionsReq,handleAnonOwnerReq, andhandleAnonClockReqfunctions in the repeater firmware read areply_path_lenbyte (masked to 0–63) from the decrypted payload and immediatelymemcpythat many bytes intoreply_path. The caller passes a bare pointer (&data[5]) without any remaining-length information, so the handlers have no way to validate whether the data buffer actually containsreply_path_lenbytes.With a minimal-length anonymous request (16 bytes decrypted from one AES block), only 11 bytes remain after offset 5. A
reply_path_lenof 63 causes a read of 52 bytes of uninitialized stack memory intoreply_path, which is then used to route the response.Who can exploit this: any node — anonymous requests use ECDH with the receiver's public key, so any sender can produce a valid MAC.
What it takes: a single crafted ANON_REQ packet.
What users might see
The node sends a response with a garbage routing path, wasting airtime. The response is unlikely to be delivered. No crash — reads stay within the 184-byte
data[]stack buffer.Fix
data_lenparameter to all threehandleAnon*Reqfunctions1 + reply_path_len <= data_lenbefore the memcpyonAnonDataRecvto ensurelen > 5before passing&data[5]Test plan
Heltec_v3_repeater