Skip to content

Security Fixes: Buffer Overflow Prevention and Packet Validation #1205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
arijanluiken wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Security Fixes: Buffer Overflow Prevention and Packet Validation #1205

arijanluiken wants to merge 2 commits into from

Conversation

@arijanluiken
Copy link

@arijanluiken arijanluiken commented Dec 11, 2025
edited
Loading

Overview

This PR addresses two critical security vulnerabilities identified in the MeshCore codebase:

  • Unsafe string operations leading to potential buffer overflows
  • Insufficient input validation in packet parsing

@arijanluiken
Security fixes: Replace unsafe string operations and improve packet v…
0b452af 
…alidation

- Issue meshcore-dev#3: Replace all strcpy/sprintf with strncpy/snprintf to prevent buffer overflows
  * Fixed CommonCLI.cpp: All command responses now use bounded string operations
  * Fixed RegionMap.cpp: Safe string copying for wildcard name
  * Removed password echoing (security issue)

- Issue meshcore-dev#7: Improve Packet::readFrom() validation
  * Add bounds checking before all memory operations
  * Validate minimum packet size upfront
  * Check transport codes fit in buffer before copying
  * Verify path_len and payload_len before memcpy
  * Prevent buffer overruns from malformed packets
@liquidraver
Copy link
Contributor

liquidraver commented Dec 11, 2025

wow, readFrom() buffer overflow sounds plausible, that is the one that can be exploited without authentication I would focus only on that at first.

The others are.... already expecting a serial or admin access, so low priority IMHO.

also can't find MAX_SERIAL_MSG_SIZE deifned anywhere, where did you get it?

@arijanluiken
Copy link
Author

arijanluiken commented Dec 11, 2025

I did not define it, it should be 160.

@arijanluiken
Define MAX_SERIAL_MSG_SIZE constant (160 bytes)
8471631 
- Matches the buffer size used in all example applications
- Required for the bounded string operations added in security fixes
jbrazio
jbrazio reviewed Dec 12, 2025
View reviewed changes
src/helpers/CommonCLI.h
#define WITH_BRIDGE
#endif

#define MAX_SERIAL_MSG_SIZE 160
Copy link
Contributor

@jbrazio jbrazio Dec 12, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@liquidraver was defined here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@jbrazio jbrazio jbrazio left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@arijanluiken @liquidraver @jbrazio