Description

Fixes three memory corruption vulnerabilities in the instrumentation subsystem:

1. Missing null-termination after strncpy operations

save_context() copies thread names using k_thread_name_copy() (which internally uses strncpy) and direct strncpy() calls without ensuring null termination. When thread names equal or exceed CONFIG_THREAD_MAX_NAME_LEN, the buffer lacks a null terminator, causing undefined behavior on subsequent reads.

Fix: Explicit null termination after both copy operations.

2. Integer underflow in call depth tracking

pop_callee_timestamp() unconditionally decrements the uint16_t call_depth field. Spurious or unbalanced function exits cause underflow (0 → 65535), corrupting profiling state and breaking depth tracking logic.

Fix: Guard decrement with zero check, increment unbalanced counter for diagnostics.

3. Ring buffer size mismatch

Ring buffer initialized with sizeof(instr_buffer) = CONFIG_SIZE + 1 instead of configured size. Users requesting N bytes receive N+1, wasting memory and violating configuration contract.

Fix: Initialize with CONFIG_INSTRUMENTATION_MODE_CALLGRAPH_TRACE_BUFFER_SIZE directly.

Testing

No existing tests cover this subsystem. Validation performed through code review and static analysis.

Documentation

No documentation changes required.

Installation

No installer impact.

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.