pellepl/spiffs
1
0
Fork 0
mirror of https://github.com/pellepl/spiffs.git synced 2026-06-06 05:25:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: prevent stack buffer overflow in spiffs_read_dir_v()

Browse Source 
Replace unbounded strcpy with strncpy + explicit NUL termination when
copying the object name from flash into spiffs_dirent. The name field
read from raw flash may not be NUL-terminated, causing strcpy to read
past the end of the stack-allocated objix_hdr variable.

This matches the pattern already used in the write path (commit 8eb5cd3,
spiffs_nucleus.c:1018).

Fixes pellepl/spiffs#302
This commit is contained in:
Eun0us
2026-02-10 01:39:19 +01:00
parent 0b2e129011
commit 54cf8d349e
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/spiffs_hydrogen.c
+2 -1
View File
@@ -1083,7 +1083,8 @@ static s32_t spiffs_read_dir_v(
(SPIFFS_PH_FLAG_DELET | SPIFFS_PH_FLAG_IXDELE)) {
struct spiffs_dirent *e = (struct spiffs_dirent*)user_var_p;
e->obj_id = obj_id;
strcpy((char *)e->name, (char *)objix_hdr.name);
strncpy((char *)e->name, (char *)objix_hdr.name, sizeof(e->name) - 1);
e->name[sizeof(e->name) - 1] = '\0';
e->type = objix_hdr.type;
e->size = objix_hdr.size == SPIFFS_UNDEFINED_LEN ? 0 : objix_hdr.size;
e->pix = pix;