From e229c1953471b5d73872e1533096238f734e0686 Mon Sep 17 00:00:00 2001
From: Stephen Waits <steve@waits.net>
Date: Mon, 11 May 2026 17:23:19 -0600
Subject: [PATCH] fix(advert): bounds-check optional fields before memcpy

---
 src/helpers/AdvertDataHelpers.cpp | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/helpers/AdvertDataHelpers.cpp b/src/helpers/AdvertDataHelpers.cpp
index 0e05620ec2..e441d1e49d 100644
--- a/src/helpers/AdvertDataHelpers.cpp
+++ b/src/helpers/AdvertDataHelpers.cpp
@@ -32,16 +32,23 @@
     _flags = app_data[0];
     _valid = false;
     _extra1 = _extra2 = 0;
-  
+
     int i = 1;
+    // Bounds-check each optional field BEFORE memcpy: a crafted advert with all
+    // FLAG_* bits set but app_data_len=1 would otherwise over-read up to 12 bytes
+    // past the buffer (the trailing app_data_len >= i check below only catches it
+    // after the fact). Returning early leaves _valid=false.
     if (_flags & ADV_LATLON_MASK) {
+      if (i + 8 > app_data_len) return;
       memcpy(&_lat, &app_data[i], 4); i += 4;
       memcpy(&_lon, &app_data[i], 4); i += 4;
     }
     if (_flags & ADV_FEAT1_MASK) {
+      if (i + 2 > app_data_len) return;
       memcpy(&_extra1, &app_data[i], 2); i += 2;
     }
     if (_flags & ADV_FEAT2_MASK) {
+      if (i + 2 > app_data_len) return;
       memcpy(&_extra2, &app_data[i], 2); i += 2;
     }