Skip to content

Commit 1bf07f7

Browse files
rzrrzr
committed
z_api_demo: Harden zwave_api_demo_commands.c by checking snprintf
This was reported from CodeQL Signed-off-by: Philippe Coval <philippe.coval@silabs.com>
1 parent 7f4970f commit 1bf07f7

1 file changed

Lines changed: 61 additions & 15 deletions

File tree

applications/zpc/applications/zwave_api_demo/src/zwave_api_demo_commands.c

Lines changed: 61 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212
*****************************************************************************/
1313

1414
#include "zwave_api_demo.h"
15+
#include <assert.h>
1516
#include <string.h>
1617

1718
extern bool exit_program;
@@ -307,18 +308,33 @@ static sl_status_t request_nif()
307308
static sl_status_t node_list()
308309
{
309310
zwave_nodemask_t node_list = {0};
310-
311+
int written = 0;
311312
sl_status_t command_status = zwapi_get_node_list(node_list);
312313
if (command_status == SL_STATUS_OK) {
313314
char message[MAXIMUM_MESSAGE_SIZE];
314315
uint16_t index = 0;
315-
index
316-
+= snprintf(message + index, sizeof(message) - index, "NodeID List: ");
316+
317+
written
318+
= snprintf(message + index, sizeof(message) - index, "NodeID List: ");
319+
if (written < 0 || written >= (int)(sizeof(message) - index)) {
320+
sl_log_error(LOG_TAG,
321+
"Buffer overflow prevented while writing message\n");
322+
return SL_STATUS_FAIL;
323+
}
324+
index += written;
325+
317326
for (zwave_node_id_t node_id = ZW_MIN_NODE_ID; node_id <= ZW_LR_MAX_NODE_ID;
318327
node_id++) {
319328
if (ZW_IS_NODE_IN_MASK(node_id, node_list) == 1) {
320-
index
321-
+= snprintf(message + index, sizeof(message) - index, "%d ", node_id);
329+
written
330+
= snprintf(message + index, sizeof(message) - index, "%d ", node_id);
331+
if (written < 0 || written >= (int)(sizeof(message) - index)) {
332+
sl_log_error(LOG_TAG,
333+
"Buffer overflow prevented while writing message\n");
334+
assert(false);
335+
return SL_STATUS_FAIL;
336+
}
337+
index += written;
322338
}
323339
}
324340
sl_log_info(LOG_TAG, "%s\n", message);
@@ -337,15 +353,29 @@ static sl_status_t failed_node_list()
337353
}
338354
char message[MAXIMUM_MESSAGE_SIZE];
339355
uint16_t index = 0;
340-
index += snprintf(message + index,
341-
sizeof(message) - index,
342-
"Failed NodeID List: ");
356+
int written = snprintf(message + index,
357+
sizeof(message) - index,
358+
"Failed NodeID List: ");
359+
if (written < 0 || written >= (int)(sizeof(message) - index)) {
360+
sl_log_error(LOG_TAG, "Buffer overflow prevented while writing message\n");
361+
assert(false);
362+
return SL_STATUS_FAIL;
363+
}
364+
index += written;
365+
343366
for (zwave_node_id_t node_id = ZW_MIN_NODE_ID; node_id <= ZW_LR_MAX_NODE_ID;
344367
node_id++) {
345368
if (ZW_IS_NODE_IN_MASK(node_id, node_list) == 1) {
346369
if (zwapi_is_node_failed(node_id)) {
347-
index
348-
+= snprintf(message + index, sizeof(message) - index, "%d ", node_id);
370+
written
371+
= snprintf(message + index, sizeof(message) - index, "%d ", node_id);
372+
if (written < 0 || written >= (int)(sizeof(message) - index)) {
373+
sl_log_error(LOG_TAG,
374+
"Buffer overflow prevented while writing message\n");
375+
assert(false);
376+
// return SL_STATUS_FAIL;
377+
}
378+
index += written;
349379
}
350380
}
351381
}
@@ -359,17 +389,33 @@ static sl_status_t virtual_node_list()
359389
zwave_nodemask_t node_list = {0};
360390

361391
sl_status_t command_status = zwapi_get_virtual_nodes(node_list);
392+
int written = 0;
362393
if (command_status == SL_STATUS_OK) {
363394
char message[MAXIMUM_MESSAGE_SIZE];
364395
uint16_t index = 0;
365-
index += snprintf(message + index,
366-
sizeof(message) - index,
367-
"Virtual NodeID List: ");
396+
written = snprintf(message + index,
397+
sizeof(message) - index,
398+
"Virtual NodeID List: ");
399+
if (written < 0 || written >= (int)(sizeof(message) - index)) {
400+
sl_log_error(LOG_TAG,
401+
"Buffer overflow prevented while writing message\n");
402+
assert(false);
403+
// return SL_STATUS_FAIL;
404+
}
405+
index += written;
406+
368407
for (zwave_node_id_t node_id = ZW_MIN_NODE_ID; node_id <= ZW_LR_MAX_NODE_ID;
369408
node_id++) {
370409
if (ZW_IS_NODE_IN_MASK(node_id, node_list) == 1) {
371-
index
372-
+= snprintf(message + index, sizeof(message) - index, "%d ", node_id);
410+
written
411+
= snprintf(message + index, sizeof(message) - index, "%d ", node_id);
412+
if (written < 0 || written >= (int)(sizeof(message) - index)) {
413+
sl_log_error(LOG_TAG,
414+
"Buffer overflow prevented while writing message\n");
415+
assert(false);
416+
//return SL_STATUS_FAIL;
417+
}
418+
index += written;
373419
}
374420
}
375421
sl_log_info(LOG_TAG, "%s\n", message);

0 commit comments

Comments
 (0)