From 654e690057e8f7ea9fcbd3fd901d9ccc93c33fd2 Mon Sep 17 00:00:00 2001 From: sudarsan N Date: Fri, 13 Jun 2025 14:47:48 +0530 Subject: [PATCH] settings: zms: fix out-of-bounds null terminator write Previously, zms_read() could fill the buffer up to sizeof(rdname), leaving no space for the null terminator, which could cause an out-of-bounds write. This change reduces the read size to sizeof(rdname) - 1 and appends a '\0' manually, ensuring the buffer is always null-terminated safely. Fixes: CID 516244 Fixes: #90533 Signed-off-by: sudarsan N --- subsys/settings/src/settings_zms.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/subsys/settings/src/settings_zms.c b/subsys/settings/src/settings_zms.c index 2f55cf45fd3..485c2a68b08 100644 --- a/subsys/settings/src/settings_zms.c +++ b/subsys/settings/src/settings_zms.c @@ -432,7 +432,7 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const for (int i = 0; i <= cf->hash_collision_num; i++) { rc = zms_read(&cf->cf_zms, name_hash + i * LSB_GET(ZMS_COLLISIONS_MASK), &rdname, - sizeof(rdname)); + sizeof(rdname) - 1); if (rc == -ENOENT) { if (first_available_hash_index < 0) { first_available_hash_index = i; @@ -445,6 +445,8 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const /* Settings entry exist, let's verify if this is the same * name */ + __ASSERT_NO_MSG(rc < sizeof(rdname)); + rdname[rc] = '\0'; if ((rc == name_len) && !memcmp(name, rdname, rc)) { /* Hash exist and the names are equal, we should