From 7727b2d69e68cf10cdf3e2bf60377eed4c62f2fd Mon Sep 17 00:00:00 2001
From: Matthias Ringwald <matthias@ringwald.ch>
Date: Tue, 4 Aug 2020 20:50:42 +0200
Subject: [PATCH] mesh: fix buffer overrun on network pdu setup

---
 src/mesh/mesh_network.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/mesh/mesh_network.c b/src/mesh/mesh_network.c
index 7392aeafa..0d60cfd2e 100644
--- a/src/mesh/mesh_network.c
+++ b/src/mesh/mesh_network.c
@@ -1129,11 +1129,12 @@ void mesh_network_setup_pdu(mesh_network_pdu_t * network_pdu, uint16_t netkey_in
     network_pdu->len += 2;
     big_endian_store_16(network_pdu->data, network_pdu->len, dest);
     network_pdu->len += 2;
+    btstack_assert((network_pdu->len + transport_pdu_len) <= MESH_NETWORK_PAYLOAD_MAX);
     (void)memcpy(&network_pdu->data[network_pdu->len], transport_pdu_data,
                  transport_pdu_len);
     network_pdu->len += transport_pdu_len;
     // zero rest of packet
-    memset(&network_pdu->data[network_pdu->len], 0, MESH_NETWORK_PAYLOAD_MAX - transport_pdu_len);
+    memset(&network_pdu->data[network_pdu->len], 0, MESH_NETWORK_PAYLOAD_MAX - network_pdu->len);
 }
 
 /*