-
Notifications
You must be signed in to change notification settings - Fork 253
Closed
Description
ostimer.c maintains a static OS_timer_table, and a char name[OS_MAX_API_NAME] is an element of each table entry.
In OS_TimerCreate(), ln 298, '''the code could leave an unterminated string in OS_timer_table[i].name'''. And it appears as though all the other code is assuming it IS a properly-terminated string. Line 243 tests:
{{{
if (strlen(timer_name) > OS_MAX_API_NAME)
...return error value
}}}
and later
{{{
strncpy(OS_timer_table[possible_tid].name, timer_name, OS_MAX_API_NAME);
}}}
copies the string with OS_MAX_API_NAME length.
But if the timer_name argument is sized exactly OS_MAX_API_NAME+1 (including the terminating null) then it'll be copied over so that there is no terminating null in the table entry name.
To fix:
- The strlen if-test should account for the \0 in its length check
{{{
if (strlen(timer_name) > OS_MAX_API_NAME-1)
}}} - The documentation for this function should note the actual arg length limit with the null
- (nice to have) It isn't actually documented in osconfig.h whether the terminating string nulls are counted as part of the OS_MAX_* name and path limits. But it certainly does appear that the intent is that strings are properly terminated in the VxWorks OSAL. (Written clairty on that convention would have helped some.)
Reactions are currently unavailable