Skip to content

Fix out-of-bounds read in TRACE packet hash matching #1655

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
weebl2000 wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

Fix out-of-bounds read in TRACE packet hash matching #1655

weebl2000 wants to merge 1 commit into from

Conversation

@weebl2000
Copy link
Contributor

@weebl2000 weebl2000 commented Feb 11, 2026

Severity: High

Summary

The TRACE packet handler compares this node's identity hash against an entry in the payload to decide whether to forward the packet. The hash size is variable — 1, 2, 4, or 8 bytes depending on the path_sz field in the packet flags. The existing bounds check (offset >= len) only verifies that the start of the hash is within the payload, but doesn't account for the full hash length. When offset is close to the end of the payload, isHashMatch reads past the buffer boundary.

How this can be exploited

Any node on the mesh can send TRACE packets — they're unauthenticated and travel as direct-routed. An attacker crafts a TRACE packet with:

  • A path_sz flag of 3 (meaning 8-byte hashes)
  • A payload length where offset falls near the end, leaving fewer than 8 bytes remaining

Every node that receives this packet calls isHashMatch which reads 8 bytes starting at payload[i + offset], but only 1-7 bytes are actually part of the payload. The remaining bytes come from whatever sits after the payload buffer in memory.

What this enables:

  • Crash / reboot — if the over-read hits unmapped memory or a guard page, the node hard-faults and reboots, losing all in-memory routing state. Repeatedly sending these packets keeps target nodes in a reboot loop.
  • Targeted node disruption — since TRACE packets are direct-routed along a specified path, an attacker can target specific nodes in the mesh rather than broadcasting indiscriminately.
  • Potential information leak — if the hash comparison happens to match against the out-of-bounds memory contents, the node forwards the packet with SNR data appended, confirming to the attacker what memory contents looked like at that offset.

Users would see this as intermittent reboots, broken path traces, or nodes that become temporarily unreachable.

Fix

Add a bounds check ensuring offset + hash_sz <= len before calling isHashMatch. Packets that don't have enough payload bytes for a full hash comparison are now silently dropped.

Test plan

  • Normal path traces still work (single-byte and multi-byte hash modes)
  • TRACE packets that reach end of path still handled correctly (offset >= len branch)
  • Build tested on Heltec_v3_companion_radio_ble

@weebl2000
fix out-of-bounds read in TRACE packet hash matching
99ab2fd 
The TRACE handler uses isHashMatch() to compare this node's hash against
an entry in the payload, but did not verify that enough bytes remain in
the payload for the full hash comparison. The hash size is variable
(1, 2, 4, or 8 bytes depending on path_sz), so when offset is close to
the end of the payload, isHashMatch reads past the buffer boundary.

Add a bounds check ensuring offset + hash_sz <= len before calling
isHashMatch, preventing the over-read.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@weebl2000