From 482f62e861de8e43e5989bc1110acfcc154e3a23 Mon Sep 17 00:00:00 2001 From: Arnaud Pouliquen Date: Mon, 30 Sep 2024 10:50:08 +0200 Subject: [PATCH] lib: rpmsg: replace strncpy with internal safe_strcpy The strncpy function does not ensure that the destination string is null-terminated. To address this issue, replace strncpy with the internal safe_strcpy() function, which guarantees null-termination of the destination string but also access only in buffer memory ranges. Note: (void)safe_strcpy(...) indicates that the return value is intentionally ignored. Signed-off-by: Arnaud Pouliquen --- lib/rpmsg/rpmsg.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/lib/rpmsg/rpmsg.c b/lib/rpmsg/rpmsg.c index 39774bc1..147b71d9 100644 --- a/lib/rpmsg/rpmsg.c +++ b/lib/rpmsg/rpmsg.c @@ -7,6 +7,7 @@ * SPDX-License-Identifier: BSD-3-Clause */ +#include #include #include @@ -141,7 +142,7 @@ int rpmsg_send_ns_message(struct rpmsg_endpoint *ept, unsigned long flags) ns_msg.flags = flags; ns_msg.addr = ept->addr; - strncpy(ns_msg.name, ept->name, sizeof(ns_msg.name)); + (void)safe_strcpy(ns_msg.name, sizeof(ns_msg.name), ept->name, strlen(ept->name)); ret = rpmsg_send_offchannel_raw(ept, ept->addr, RPMSG_NS_EPT_ADDR, &ns_msg, sizeof(ns_msg), true); @@ -305,7 +306,11 @@ void rpmsg_register_endpoint(struct rpmsg_device *rdev, rpmsg_ept_cb cb, rpmsg_ns_unbind_cb ns_unbind_cb, void *priv) { - strncpy(ept->name, name ? name : "", sizeof(ept->name)); + if (name) + (void)safe_strcpy(ept->name, sizeof(ept->name), name, sizeof(name)); + else + ept->name[0] = 0; + ept->refcnt = 1; ept->addr = src; ept->dest_addr = dest;