Skip to content

Check ACK payload_len before memcpy, not after#1665

Closed
weebl2000 wants to merge 1 commit intomeshcore-dev:devfrom
weebl2000:fix/ack-memcpy-bounds-order
Closed

Check ACK payload_len before memcpy, not after#1665
weebl2000 wants to merge 1 commit intomeshcore-dev:devfrom
weebl2000:fix/ack-memcpy-bounds-order

Conversation

@weebl2000
Copy link
Contributor

@weebl2000 weebl2000 commented Feb 11, 2026
edited
Loading

Severity: Low

Summary

Both ACK packet handlers in Mesh::onRecvPacket copy 4 bytes from the payload via memcpy before checking whether payload_len >= 4:

  1. Direct-route early ACK (line 83–86): memcpy then if (i <= pkt->payload_len)
  2. Flood ACK (line 118–121): memcpy then if (i > pkt->payload_len)

When payload_len < 4, the memcpy reads stale data from within the 184-byte payload buffer. The result (ack_crc) is discarded in both cases — the subsequent length check prevents it from being used — but the ordering is incorrect.

Fix

Move the payload_len >= 4 check before the memcpy in both locations. Short ACK packets are now rejected without touching the payload data.

Test plan

  • Normal ACK processing still works (direct and flood)
  • Short/corrupt ACK packets are silently dropped
  • Build tested on Heltec_v3_companion_radio_ble

Build firmware: Build from this branch

@weebl2000
Check ACK payload_len before memcpy, not after
fd0355e 
Both ACK handlers (direct-route early ACK and flood ACK) copy 4 bytes
from the payload before checking payload_len >= 4. Move the bounds
check before the memcpy so short ACK packets are rejected without
reading stale buffer data.
@ripplebiz ripplebiz closed this Feb 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@weebl2000 @ripplebiz