components: libc: fix array overflow in rt_object name assignment #10011
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Problem Description] When assigning name to rt_object, strncpy() uses size equal to RT_NAME_MAX, which causes missing null-terminator and overflows into adjacent 'type' field. This corruption leads to unexpected system behavior. [Problem Analysis] The rt_object structure defines: | char name[RT_NAME_MAX] | -> buffer | rt_uint8_t type | -> adjacent field Original code calculates size as: size = end - first + 1; if (size > RT_NAME_MAX) size = RT_NAME_MAX; When size equals RT_NAME_MAX, strncpy() will copy exactly RT_NAME_MAX bytes without adding terminating '\0', causing two issues: 1. name buffer is not null-terminated 2. The implicit null-byte writes beyond name[] into type field [Solution] Change boundary check from: if (size > RT_NAME_MAX) size = RT_NAME_MAX; to: if (size >= RT_NAME_MAX) size = RT_NAME_MAX - 1; This ensures: 1. Always leaves space for null-terminator 2. Prevents overflow into type field 3. Maintains maximum valid name length (RT_NAME_MAX-1 + '\0') Signed-off-by: Liu Gui <kenneth.liu@sophgo.com>
supperthomas
approved these changes
Feb 21, 2025
mysterywolf
approved these changes
Feb 21, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
[Problem Description]
When assigning name to rt_object, strncpy() uses size equal to RT_NAME_MAX, which causes missing null-terminator and overflows into adjacent 'type' field. This corruption leads to unexpected system behavior.
[Problem Analysis]
The rt_object structure defines:
| char name[RT_NAME_MAX] | -> buffer
| rt_uint8_t type | -> adjacent field
Original code calculates size as:
size = end - first + 1;
if (size > RT_NAME_MAX) size = RT_NAME_MAX;
When size equals RT_NAME_MAX, strncpy() will copy exactly RT_NAME_MAX bytes without adding terminating '\0', causing two issues:
[Solution]
Change boundary check from:
if (size > RT_NAME_MAX) size = RT_NAME_MAX;
to:
if (size >= RT_NAME_MAX) size = RT_NAME_MAX - 1;
This ensures:
拉取/合并请求描述:(PR description)
[
为什么提交这份PR (why to submit this PR)
你的解决方案是什么 (what is your solution)
请提供验证的bsp和config (provide the config and bsp)
]
当前拉取/合并请求的状态 Intent for your PR
必须选择一项 Choose one (Mandatory):
代码质量 Code Quality:
我在这个拉取/合并请求中已经考虑了 As part of this pull request, I've considered the following:
#if 0代码,不包含已经被注释了的代码 All redundant code is removed and cleaned up