From d10fcd4e16d1b416115216f4a9d7db7873f9815f Mon Sep 17 00:00:00 2001
From: Wessel Nieboer <wessel@weebl.me>
Date: Wed, 11 Feb 2026 04:35:34 +0100
Subject: [PATCH 1/2] Validate buffer length before reading fields in
 Packet::readFrom

readFrom reads the header byte, transport codes (4 bytes), and
path_len from the source buffer before any length validation. With a
short input, these reads go past the end of the buffer.

Add upfront length checks: minimum 2 bytes overall, transport codes
require 4 additional bytes, and path must fit before the remaining
payload.
---
 src/Packet.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/Packet.cpp b/src/Packet.cpp
index 2d54ca459..3d5e937da 100644
--- a/src/Packet.cpp
+++ b/src/Packet.cpp
@@ -39,9 +39,11 @@ uint8_t Packet::writeTo(uint8_t dest[]) const {
 }
 
 bool Packet::readFrom(const uint8_t src[], uint8_t len) {
+  if (len < 2) return false;  // minimum: header + path_len
   uint8_t i = 0;
   header = src[i++];
   if (hasTransportCodes()) {
+    if (i + 4 >= len) return false;  // need 4 bytes for transport codes + path_len after
     memcpy(&transport_codes[0], &src[i], 2); i += 2;
     memcpy(&transport_codes[1], &src[i], 2); i += 2;
   } else {
@@ -49,8 +51,8 @@ bool Packet::readFrom(const uint8_t src[], uint8_t len) {
   }
   path_len = src[i++];
   if (path_len > sizeof(path)) return false;   // bad encoding
+  if (i + path_len >= len) return false;  // path + at least 1 byte payload must fit
   memcpy(path, &src[i], path_len); i += path_len;
-  if (i >= len) return false;   // bad encoding
   payload_len = len - i;
   if (payload_len > sizeof(payload)) return false;  // bad encoding
   memcpy(payload, &src[i], payload_len); //i += payload_len;

From ef97fe23ee3fb913db33c89ad60e6ec3f1f8ab5a Mon Sep 17 00:00:00 2001
From: Wessel Nieboer <wessel@weebl.me>
Date: Wed, 11 Feb 2026 04:43:33 +0100
Subject: [PATCH 2/2] Clarify bounds check comment in Packet::readFrom

---
 src/Packet.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/Packet.cpp b/src/Packet.cpp
index 3d5e937da..e0bae3f2b 100644
--- a/src/Packet.cpp
+++ b/src/Packet.cpp
@@ -43,7 +43,7 @@ bool Packet::readFrom(const uint8_t src[], uint8_t len) {
   uint8_t i = 0;
   header = src[i++];
   if (hasTransportCodes()) {
-    if (i + 4 >= len) return false;  // need 4 bytes for transport codes + path_len after
+    if (i + 4 >= len) return false;  // need 4 transport bytes + the path_len byte
     memcpy(&transport_codes[0], &src[i], 2); i += 2;
     memcpy(&transport_codes[1], &src[i], 2); i += 2;
   } else {