From 92c92eefdbc28c7784b47413e99b2bd00e7ceb39 Mon Sep 17 00:00:00 2001 From: "kenneth.liu" Date: Thu, 20 Feb 2025 20:25:30 +0800 Subject: [PATCH] components: libc: fix array overflow in rt_object name assignment [Problem Description] When assigning name to rt_object, strncpy() uses size equal to RT_NAME_MAX, which causes missing null-terminator and overflows into adjacent 'type' field. This corruption leads to unexpected system behavior. [Problem Analysis] The rt_object structure defines: | char name[RT_NAME_MAX] | -> buffer | rt_uint8_t type | -> adjacent field Original code calculates size as: size = end - first + 1; if (size > RT_NAME_MAX) size = RT_NAME_MAX; When size equals RT_NAME_MAX, strncpy() will copy exactly RT_NAME_MAX bytes without adding terminating '\0', causing two issues: 1. name buffer is not null-terminated 2. The implicit null-byte writes beyond name[] into type field [Solution] Change boundary check from: if (size > RT_NAME_MAX) size = RT_NAME_MAX; to: if (size >= RT_NAME_MAX) size = RT_NAME_MAX - 1; This ensures: 1. Always leaves space for null-terminator 2. Prevents overflow into type field 3. Maintains maximum valid name length (RT_NAME_MAX-1 + '\0') Signed-off-by: Liu Gui --- components/libc/posix/libdl/dlmodule.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/components/libc/posix/libdl/dlmodule.c b/components/libc/posix/libdl/dlmodule.c index 269e7bc4333..17aca0b2da8 100644 --- a/components/libc/posix/libdl/dlmodule.c +++ b/components/libc/posix/libdl/dlmodule.c @@ -55,7 +55,7 @@ static void _dlmodule_set_name(struct rt_dlmodule *module, const char *path) } size = end - first + 1; - if (size > RT_NAME_MAX) size = RT_NAME_MAX; + if (size >= RT_NAME_MAX) size = RT_NAME_MAX - 1; rt_strncpy(object->name, first, size); object->name[size] = '\0';