Browse Source

settings: zms: fix out-of-bounds null terminator write

Previously, zms_read() could fill the buffer up to sizeof(rdname),
leaving no space for the null terminator, which could cause an
out-of-bounds write.

This change reduces the read size to sizeof(rdname) - 1 and appends
a '\0' manually, ensuring the buffer is always null-terminated safely.

Fixes: CID 516244
Fixes: #90533

Signed-off-by: sudarsan N <sudarsansamy2002@gmail.com>
pull/91646/head
sudarsan N 4 weeks ago committed by Benjamin Cabé
parent
commit
654e690057
  1. 4
      subsys/settings/src/settings_zms.c

4
subsys/settings/src/settings_zms.c

@ -432,7 +432,7 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const
for (int i = 0; i <= cf->hash_collision_num; i++) { for (int i = 0; i <= cf->hash_collision_num; i++) {
rc = zms_read(&cf->cf_zms, name_hash + i * LSB_GET(ZMS_COLLISIONS_MASK), &rdname, rc = zms_read(&cf->cf_zms, name_hash + i * LSB_GET(ZMS_COLLISIONS_MASK), &rdname,
sizeof(rdname)); sizeof(rdname) - 1);
if (rc == -ENOENT) { if (rc == -ENOENT) {
if (first_available_hash_index < 0) { if (first_available_hash_index < 0) {
first_available_hash_index = i; first_available_hash_index = i;
@ -445,6 +445,8 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const
/* Settings entry exist, let's verify if this is the same /* Settings entry exist, let's verify if this is the same
* name * name
*/ */
__ASSERT_NO_MSG(rc < sizeof(rdname));
rdname[rc] = '\0'; rdname[rc] = '\0';
if ((rc == name_len) && !memcmp(name, rdname, rc)) { if ((rc == name_len) && !memcmp(name, rdname, rc)) {
/* Hash exist and the names are equal, we should /* Hash exist and the names are equal, we should

Loading…
Cancel
Save