settings: zms: fix out-of-bounds null terminator write

Previously, zms_read() could fill the buffer up to sizeof(rdname), leaving no space for the null terminator, which could cause an out-of-bounds write. This change reduces the read size to sizeof(rdname) - 1 and appends a '\0' manually, ensuring the buffer is always null-terminated safely. Fixes: CID 516244 Fixes: #90533 Signed-off-by: sudarsan N <sudarsansamy2002@gmail.com>
2025-06-13 14:47:48 +05:30 · 2025-06-13 14:47:48 +05:30 · 654e690057
commit 654e690057
parent e93a6338d4
1 changed files with 3 additions and 1 deletions
--- a/subsys/settings/src/settings_zms.c
+++ b/subsys/settings/src/settings_zms.c
@ -432,7 +432,7 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const

 	for (int i = 0; i <= cf->hash_collision_num; i++) {
 		rc = zms_read(&cf->cf_zms, name_hash + i * LSB_GET(ZMS_COLLISIONS_MASK), &rdname,
-			      sizeof(rdname));
+			      sizeof(rdname) - 1);
 		if (rc == -ENOENT) {
 			if (first_available_hash_index < 0) {
 				first_available_hash_index = i;
@ -445,6 +445,8 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const
 		/* Settings entry exist, let's verify if this is the same
 		 * name
 		 */
+		__ASSERT_NO_MSG(rc < sizeof(rdname));
+
 		rdname[rc] = '\0';
 		if ((rc == name_len) && !memcmp(name, rdname, rc)) {
 			/* Hash exist and the names are equal, we should