Add minimum payload_len check for TRACE packet parsing

weebl2000 · weebl2000 · commit 0bb3a0e0b083 · 2026-04-04T13:18:56.000+02:00
The TRACE handler reads 9 bytes (trace_tag, auth_code, flags) from the
payload before any length validation. A short TRACE packet causes reads
of stale buffer data and an underflow in the remaining-length
calculation (uint8_t len = payload_len - 9 wraps to ~247).

Add payload_len &gt;= 9 to the existing guard condition so undersized
TRACE packets are silently dropped.
diff --git a/src/Mesh.cpp b/src/Mesh.cpp
@@ -40,7 +40,7 @@ int Mesh::searchChannelsByHash(const uint8_t* hash, GroupChannel channels[], int
 
 DispatcherAction Mesh::onRecvPacket(Packet* pkt) {
   if (pkt->isRouteDirect() && pkt->getPayloadType() == PAYLOAD_TYPE_TRACE) {
-    if (pkt->path_len < MAX_PATH_SIZE) {
+    if (pkt->path_len < MAX_PATH_SIZE && pkt->payload_len >= 9) {  // need trace_tag(4) + auth_code(4) + flags(1)
       uint8_t i = 0;
       uint32_t trace_tag;
       memcpy(&trace_tag, &pkt->payload[i], 4); i += 4;
