mirror of https://github.com/meshtastic/firmware.git synced 2026-05-30 11:45:09 -04:00

Go to file

nightjoker7 87f1f9d349 fix(Router): localize p_encrypted to prevent recursive-overwrite leak (#10311 )

Router::handleReceived stores its allocCopy of the encrypted packet in the
class member p_encrypted. callModules() invokes module replies that re-enter
the router via MeshService::sendToMesh -> Router::sendLocal, which on a
broadcast reply recursively calls handleReceived. The inner call overwrites
the outer's p_encrypted without releasing it; on the way out it nulls the
member, the outer release(p_encrypted) now releases nullptr, and the original
allocation is permanently leaked. ~381 B per recursion.

Promote p_encrypted to a function-local so each invocation owns its own copy
for its full lifetime. The MQTT-publish null check at the call site (added by
PR #9136 as a workaround for this bug) stays in place because allocCopy can
still legitimately return nullptr on packetPool exhaustion.

Copilot's review of PR #8999 (the original introduction) flagged this exact
pattern at merge time:
  "Storing p_encrypted as a class member can cause issues with recursive or
  concurrent calls to handleReceived() since each call would overwrite the
  previous packet pointer."

The historical reason for the member (S&F needing to retain the encrypted
copy across calls) was satisfied differently by PR #9799 (ServerAPI converted
to std::unique_ptr + cleanup on connection close), so the member is no longer
load-bearing.

Reproduces issues #9632 / #10101 / #8729 (heap leak when MeshMonitor
connected; TCP drops on Station G2 / LILYGO ServerAPI dump abort).

Hardware A/B on Station G2 under sustained TCP-API retry storm (open :4403,
request config, disconnect mid-stream, repeat at ~0.6/s) - 9 min run:

  | Build         | heapFree drift | rebootCount delta |
  | this patch    | -1.5 KB (noise)| 0                 |
  | stock 2.7.13  | -73 KB (8.1KB/min) | +1 (OOM crash) |

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Ben Meadors <benmmeadors@gmail.com>

2026-04-26 21:03:34 -05:00

.claude/commands

Add USB camera and uhubctl support for new test suite. Also included some bug fixes (#10204 )

2026-04-19 06:51:41 -05:00

.clusterfuzzlite

Develop to master (#9618 )

2026-02-19 07:16:33 -06:00

.devcontainer

Merge branch 'master' into develop

2025-11-06 07:14:51 -06:00

.github

Improve options to align to names of UI options (#10240 )

2026-04-22 11:42:25 -05:00

.trunk

Upgrade trunk (#10284 )

2026-04-24 05:40:44 -05:00

.vscode

Update device-install scripts (#6267 )

2025-03-09 06:43:16 -05:00

bin

Add script to show unmerged commits from develop to master

2026-04-25 06:10:45 -05:00

boards

ESP32: Take away "tbeam" boards PSRAM to reclaim iram (#10036 )

2026-03-30 13:20:19 -05:00

branding

spelling fixes in .md files (#9810 )

2026-03-05 08:54:57 +11:00

data/static

Bundle WebUI (#878 )

2021-10-09 17:15:12 +11:00

debian

Automated version bumps (#10159 )

2026-04-14 13:13:45 -05:00

extra_scripts

Update platformio/espressif32 to v6.12.0 (#7697 )

2025-12-09 09:57:02 -06:00

images

No idea why trunk wants to disturb these PNGs but...

2024-10-08 05:34:41 -05:00

mcp-server

Add USB camera and uhubctl support for new test suite. Also included some bug fixes (#10204 )

2026-04-19 06:51:41 -05:00

meshtestic @ dcac7e5673

python3 ref

2024-09-24 15:24:08 -05:00

monitor

run trunk fmt -a (#9400 )

2026-01-22 15:46:37 -06:00

protobufs @ 249a80855a

Update protobufs (#10295 )

2026-04-25 06:08:07 -05:00

release

Cleans up visibility in GPS.h (#5426 )

2024-11-23 06:10:09 -06:00

src

fix(Router): localize p_encrypted to prevent recursive-overwrite leak (#10311 )

2026-04-26 21:03:34 -05:00

test

Enhance UTF-8 sanitization logic and add delays in test setup for reliable timing

2026-04-25 15:04:58 -05:00

variants

Update platform-native digest to 135b91e (#10300 )

2026-04-25 14:44:06 -05:00

.dockerignore

Initial commit of a fuzzer for Meshtastic (#5790 )

2025-01-16 18:42:21 -06:00

.env.example

meshtasticd-docker: simplify, add USB compose (#5662 )

2024-12-26 12:59:26 -06:00

.envrc

Add initial Nix shell (#8530 )

2026-01-29 10:06:58 -06:00

.gitattributes

update gitattributes for windows (#6289 )

2025-03-11 13:05:51 -05:00

.gitignore

Add MCP server for interacting with meshtastic devices and testing framework / TUI (#10194 )

2026-04-18 11:29:02 -05:00

.gitmodules

Consume device-ui as a pio library (#6193 )

2025-03-05 16:19:59 -06:00

.gitpod.yml

add a .yml to setup a Gitpod instance quickly (#4551 )

2024-08-23 20:24:23 -05:00

.mcp.json

Add MCP server for interacting with meshtastic devices and testing framework / TUI (#10194 )

2026-04-18 11:29:02 -05:00

.semgrepignore

Fix de/compression buffer overflows in TAK packets (#4317 )

2024-07-23 06:16:53 -05:00

AGENTS.md

Add encryption overview to agent instructions in AGENTS.md (#10207 )

2026-04-21 10:49:13 -05:00

alpine.Dockerfile

Develop to master (#9618 )

2026-02-19 07:16:33 -06:00

CODE_OF_CONDUCT.md

Trunk

2024-11-28 06:26:51 -06:00

CONTRIBUTING.md

lol of course trunk fmt

2024-09-04 15:33:28 -07:00

docker-compose.yml

meshtasticd-docker: simplify, add USB compose (#5662 )

2024-12-26 12:59:26 -06:00

Dockerfile

Develop to master (#9618 )

2026-02-19 07:16:33 -06:00

Dockerfile.test

Add Transmit history persistence for respecting traffic intervals between reboots (#9748 )

2026-02-25 20:41:07 -06:00

flake.lock

Add initial Nix shell (#8530 )

2026-01-29 10:06:58 -06:00

flake.nix

Add initial Nix shell (#8530 )

2026-01-29 10:06:58 -06:00

LICENSE

move my bt experiment into its own repo (about to remove ttn)

2020-02-01 08:30:53 -08:00

meshtasticd.spec.rpkg

Develop to master (#9618 )

2026-02-19 07:16:33 -06:00

partition-table-8MB.csv

reorganize 8MB partition for MUI devices (#7860 )

2025-09-08 05:56:47 -05:00

partition-table.csv

- new Bootloader for ESP-IDF 4.2

2022-09-26 22:42:58 +02:00

platformio.ini

Update meshtastic-esp8266-oled-ssd1306 digest to 6bfd1f1 (#10277 )

2026-04-23 19:30:47 -05:00

pyocd.yaml

Add semihosting support for nrf52 devices (#4137 )

2024-06-24 10:27:37 -05:00

README.md

Trunk fmt

2025-11-20 06:14:29 -06:00

renovate.json

Renovate: Don't update branches outside the schedule (daily) (#10039 )

2026-03-30 14:36:59 -05:00

rpkg.conf

rpkg Fedora packaging (#5735 )

2025-01-13 12:24:05 +08:00

SECURITY.md

Update security policy to reflect new stage

2026-01-02 06:42:28 -06:00

shell.nix

Add initial Nix shell (#8530 )

2026-01-29 10:06:58 -06:00

suppressions.txt

Unify the native display config between legacy display and MUI (#6838 )

2025-06-21 06:36:04 -05:00

userPrefs.jsonc

Add USB camera and uhubctl support for new test suite. Also included some bug fixes (#10204 )

2026-04-19 06:51:41 -05:00

version.properties

Automated version bumps (#10159 )

2026-04-14 13:13:45 -05:00

README.md

Meshtastic Firmware

Website - Documentation

Overview

This repository contains the official device firmware for Meshtastic, an open-source LoRa mesh networking project designed for long-range, low-power communication without relying on internet or cellular infrastructure. The firmware supports various hardware platforms, including ESP32, nRF52, RP2040/RP2350, and Linux-based devices.

Meshtastic enables text messaging, location sharing, and telemetry over a decentralized mesh network, making it ideal for outdoor adventures, emergency preparedness, and remote operations.

Get Started

🔧 Building Instructions – Learn how to compile the firmware from source.
⚡ Flashing Instructions – Install or update the firmware on your device.

Join our community and help improve Meshtastic! 🚀

Stats

Languages

C++ 62.7%

C 28.4%

Python 8%

Shell 0.5%

Batchfile 0.2%

Other 0.1%

README.md Unescape Escape

Meshtastic Firmware

Overview

Get Started

Stats

README.md