fix: null-check packetPool / queueStatusPool allocCopy across 11 router/module callers

[nightjoker7]

What this changes

Adds null-checks at 11 call sites that take a pointer from packetPool.allocCopy() or queueStatusPool.allocCopy() and immediately dereference (or pass to a function that derefs) without verifying the allocation succeeded. Allocator::allocCopy is documented to return nullptr on pool exhaustion — these call sites assumed "always succeeds."

Total diff: 6 files, 49 insertions / 17 deletions. No behavioral change on the happy path.

File:line	Pre-fix
src/mesh/MeshService.cpp:113	sendToPhone(packetPool.allocCopy(*mp))
src/mesh/MeshService.cpp:209	auto a = packetPool.allocCopy(p); sendToMesh(a, RX_SRC_USER);
src/mesh/MeshService.cpp:233	meshtastic_QueueStatus *copied = queueStatusPool.allocCopy(qs); copied->res = res;
src/mesh/MeshService.cpp:271	auto a = packetPool.allocCopy(*p); sendToPhone(a);
src/mesh/NextHopRouter.cpp:35	startRetransmission(packetPool.allocCopy(*p));
src/mesh/NextHopRouter.cpp:151	tosend = packetPool.allocCopy(*p); tosend->hop_limit = 0;
src/mesh/NextHopRouter.cpp:329, 331, 336	three retransmission allocCopy sites passed straight to *::send(...)
src/mesh/ReliableRouter.cpp:21	auto copy = packetPool.allocCopy(*p); startRetransmission(copy, NUM_RELIABLE_RETX);
src/mesh/Router.cpp:376	p_decoded = packetPool.allocCopy(*p); ... mqtt->onSend(*p, *p_decoded, chIndex);
src/modules/NodeInfoModule.cpp:63	packetCopy = packetPool.allocCopy(mp); packetCopy->decoded.payload.size = ...
src/modules/AtakPluginModule.cpp:199	decompressedCopy = packetPool.allocCopy(mp); decompressedCopy->decoded.payload.size = ...

Affected hardware

The bug fires when packetPool is exhausted — i.e., when the heap-backed allocator can't fulfill a MeshPacket allocation (~400 B with metadata). Pool size is bounded by MAX_PACKETS = MAX_RX_TOPHONE(32) + MAX_RX_FROMRADIO(4) + 2*MAX_TX_QUEUE(16) + 2 = 70 slots, but the practical exhaustion trigger is free heap dropping below the per-allocation cost under burst load, not slot count.

Boards most exposed are those without PSRAM and with tight idle free heap:

• Heltec V1 / V2 / V3 LoRa-32 — ESP32 / ESP32-S3 with no PSRAM, ~70-80 KB free heap idle
• T-Beam classic — ESP32 with ~80 KB free idle
• T-Lora v2 1.6 — ESP32 with ~90 KB free idle
• RAK4631 — nRF52840 with 256 KB total RAM, ~60 KB free idle

PSRAM boards (Heltec V4 TFT, Tracker, Station G2, T-Beam-S3 family, T-Watch-S3) are harder to exhaust because the allocator can back onto 8 MB PSRAM, but the same crash mechanism applies if pool exhaustion ever happens.

Backtraces this addresses

Two existing field reports have decoded backtraces that land directly on the call sites this PR is guarding:

• [Bug]: Crash in JSON MQTT bridge #1355 — Crash in JSON MQTT bridge. Guru Meditation Error: LoadProhibited, EXCVADDR=0x00000004 (textbook null-deref of a struct field at offset 4). Decoded backtrace frame 0 is MQTT::downstreamPacketToJson, called via MQTT::onSend from Router::send — the exact path guarded by the Router.cpp:376 fix here (if (p_decoded && ...)). Filed by @caveman99.

• [BUG] Crash/reboot loop entering 'Settings/Device' using Android app after configuring as REPEATER #4410 — Crash/reboot loop entering 'Settings/Device' using Android app after configuring as REPEATER. @GUVWAF decoded the backtrace in-thread; frame 0 is MeshService::sendToPhone, which is the call site of packetPool.allocCopy(*mp) at MeshService.cpp:113. GUVWAF noted "not sure why it's crashing" — the unguarded null deref on pool exhaustion is a plausible cause, though not definitively proven from the trace alone.

I'm not claiming this PR "fixes" either issue (both are closed); I'm claiming the call graphs in their decoded backtraces match the call sites being guarded here. If pool exhaustion is the trigger, the symptom shifts from a panic to a logged drop after this change.

Reproduction

Used a deterministic null-injection harness on Heltec V3 (ESP32-S3, no PSRAM, the same hardware tier as the cited reports): a 1-line edit in MemoryPool.h::allocCopy returning nullptr every 5th call. Drove sendText load via meshtastic-python SerialInterface for 90 s on two devices flashed identically except for these patches.

Build	rebootCount before / after	Verdict
Baseline (origin/develop + injection)	4 → 26	+22 panics in 90 s
This patch (develop + 11 sites + injection)	3 → 4	+1 (post-test reopen artifact, identical on baseline)

Same hardware, same workload, same injection rate, same channel. The only difference is the 11 null-checks.

Why the diff is small

Mirrors the merge pattern of #10262 (13 allocZeroed null-checks in one focused PR). Same shape, adjacent class. Sites that already had null-checks are left alone — Router.cpp:744 (legacy guard from #9136), Router.cpp:813 (existing if (p_encrypted_new)), and the Telemetry consumers (if (!lastMeasurementPacket)).

Risk

Minimal. Each fix is an additive if (auto *c = ...) ...; or if (!ptr) { LOG_WARN; early-return; }. The only runtime change vs baseline is "pool exhaustion now logs and drops one packet instead of crashing the radio task." No public-API surface change.

Follow-up

A round-2 follow-through covers helper-level fixes (Router::allocForSending, MeshModule::allocAckNak, SinglePortModule::allocDataPacket, ProtobufModule::allocDataProtobuf) plus 10 module callers (RoutingModule, NeighborInfoModule, PositionModule, StatusMessageModule, the 5 Telemetry modules + HostMetrics). Held for a separate PR to keep this diff focused; the 11 sites here are the load-bearing ones in the cited backtraces.

[Copilot]

Pull request overview

This PR adds defensive null-checks at multiple call sites that use packetPool.allocCopy() / queueStatusPool.allocCopy() results immediately, preventing null-dereference crashes when pools are exhausted (especially on low-heap / no-PSRAM boards).

Changes:

• Added allocation-result checks and safe early-exit behavior across router/service/module paths that previously assumed allocCopy() always succeeds.
• Guarded MQTT publish in Router::send() against p_decoded == nullptr to avoid crashes under pool exhaustion.
• Added warnings / comments to clarify dropped/skipped behavior on allocation failure.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
src/mesh/MeshService.cpp	Null-check packetPool.allocCopy() / queueStatusPool.allocCopy() before forwarding to phone / mesh and sending queue status.
src/mesh/NextHopRouter.cpp	Null-check allocCopy() before starting retransmission and before allocating copies for retransmission sends.
src/mesh/ReliableRouter.cpp	Avoid starting retransmission if allocCopy() fails (still sends original packet).
src/mesh/Router.cpp	Skip MQTT onSend() when decoded-copy allocation fails; keep release behavior safe for nullptr.
src/modules/NodeInfoModule.cpp	Null-check packet copy before re-encoding payload and forwarding to phone.
src/modules/AtakPluginModule.cpp	Null-check decompressed packet copy before re-encoding and forwarding to phone.

Comments suppressed due to low confidence (1)

src/mesh/NextHopRouter.cpp:341

• doRetransmissions() now conditionally sends only if allocCopy() succeeds, but the retransmission counter is decremented unconditionally later in the block. If allocCopy() fails due to pool exhaustion, this will consume a retry without actually sending anything and can cause premature NAK/failure. Consider only decrementing tries when a retransmission packet was successfully allocated/queued (but still rescheduling nextTxMsec to avoid a tight loop).

                        if (auto *c = packetPool.allocCopy(*p.packet)) FloodingRouter::send(c);
                    } else {
                        if (auto *c = packetPool.allocCopy(*p.packet)) NextHopRouter::send(c);
                    }
                } else {
                    // Note: we call the superclass version because we don't want to have our version of send() add a new
                    // retransmission record
                    if (auto *c = packetPool.allocCopy(*p.packet)) FloodingRouter::send(c);
                }

                // Queue again
                --p.numRetransmissions;
                setNextTx(&p);

[nightjoker7]

Pushed 67bc2665d addressing the Copilot review on 0984d68:

• AtakPluginModule.cpp:205 — fixed sizeof(payload) → sizeof(payload.bytes). PB_BYTES_ARRAY_T is {size + bytes[N]}, so the previous form overstated the buffer passed to pb_encode_to_bytes by the size-field width and could let it write past payload.bytes into adjacent fields under a worst-case TAKPacket re-encode. Now matches the canonical form already used at NodeInfoModule.cpp:67. Nice catch by Copilot.
• 4× caller-side LOG_WARN → LOG_DEBUG (MeshService.cpp:116, MeshService.cpp:235, AtakPluginModule.cpp:201, NodeInfoModule.cpp:71). The allocator and the underlying static pool already log WARN on failure (MemoryPool.h:24,45,158), so each pool exhaustion was producing 3 lines. Caller-side breadcrumb is preserved for debug builds.
• MeshService.cpp:281 — reworded the cc-to-phone exhaustion comment. Previous wording implied future re-delivery via the RX path, which isn't guaranteed for non-broadcast / non-local sends.

Verified locally: pio test -e coverage -f test_atak -f test_default -f test_meshpacket_serializer → 41/41 pass. Diff is +9/-7 across 3 files.