[nrf fromlist] settings: zms: use the safe function strnlen instead of strlen

rghaddab · rghaddab · commit c1062963edef · 2025-04-04T13:07:01.000+02:00
if the provided name in argument is not null this could lead to un
undefined behavior.
Use strnlen to make this safe

Upstream PR #: 87792

Signed-off-by: Riadh Ghaddab &lt;rghaddab@baylibre.com&gt;
(cherry picked from commit 7555e3391a329b11aca6de082d3a789a5223fc6c)
diff --git a/include/zephyr/settings/settings.h b/include/zephyr/settings/settings.h
@@ -45,6 +45,9 @@ extern "C" {
  */
 #define SETTINGS_EXTRA_LEN ((SETTINGS_MAX_DIR_DEPTH - 1) + 2)
 
+/* Maximum Settings name length including separators */
+#define SETTINGS_FULL_NAME_LEN SETTINGS_MAX_NAME_LEN + SETTINGS_EXTRA_LEN + 1
+
 /**
  * Function used to read the data from the settings storage in
  * h_set handler implementations.
diff --git a/subsys/settings/src/settings_zms.c b/subsys/settings/src/settings_zms.c
@@ -3,6 +3,8 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
+#define _POSIX_C_SOURCE 200809L /* for strnlen() */
+
 #include <errno.h>
 #include <string.h>
 
@@ -217,13 +219,14 @@ static int settings_zms_load_subtree(struct settings_store *cs, const struct set
 {
 	struct settings_zms *cf = CONTAINER_OF(cs, struct settings_zms, cf_store);
 	struct settings_zms_read_fn_arg read_fn_arg;
-	char name[SETTINGS_MAX_NAME_LEN + SETTINGS_EXTRA_LEN + 1];
+	char name[SETTINGS_FULL_NAME_LEN];
 	ssize_t rc1;
 	ssize_t rc2;
 	uint32_t name_hash;
 	int ret = 0;
 
-	name_hash = sys_hash32(arg->subtree, strlen(arg->subtree)) & ZMS_HASH_MASK;
+	name_hash = sys_hash32(arg->subtree, strnlen(arg->subtree, SETTINGS_FULL_NAME_LEN)) &
+		    ZMS_HASH_MASK;
 	for (int i = 0; i <= cf->hash_collision_num; i++) {
 		name_hash = ZMS_UPDATE_COLLISION_NUM(name_hash, i);
 		/* Get the name entry from ZMS */
@@ -248,8 +251,8 @@ static int settings_zms_load_subtree(struct settings_store *cs, const struct set
 		read_fn_arg.fs = &cf->cf_zms;
 		read_fn_arg.id = ZMS_NAME_ID_FROM_HASH(name_hash) + ZMS_DATA_ID_OFFSET;
 
-		ret = settings_call_set_handler(arg->subtree, rc2, settings_zms_read_fn, &read_fn_arg,
-						(void *)arg);
+		ret = settings_call_set_handler(arg->subtree, rc2, settings_zms_read_fn,
+						&read_fn_arg, (void *)arg);
 		/* We should return here as there are no need to look for the next
 		 * hash collision */
 		return ret;
@@ -263,7 +266,7 @@ static ssize_t settings_zms_load_one(struct settings_store *cs, const char *name
 				     size_t buf_len)
 {
 	struct settings_zms *cf = CONTAINER_OF(cs, struct settings_zms, cf_store);
-	char r_name[SETTINGS_MAX_NAME_LEN + SETTINGS_EXTRA_LEN + 1];
+	char r_name[SETTINGS_FULL_NAME_LEN];
 	ssize_t rc = 0;
 	uint32_t name_hash;
 
@@ -272,7 +275,7 @@ static ssize_t settings_zms_load_one(struct settings_store *cs, const char *name
 		return -EINVAL;
 	}
 
-	name_hash = sys_hash32(name, strlen(name)) & ZMS_HASH_MASK;
+	name_hash = sys_hash32(name, strnlen(name, SETTINGS_FULL_NAME_LEN)) & ZMS_HASH_MASK;
 	for (int i = 0; i <= cf->hash_collision_num; i++) {
 		name_hash = ZMS_UPDATE_COLLISION_NUM(name_hash, i);
 		/* Get the name entry from ZMS */
@@ -305,7 +308,7 @@ static int settings_zms_load(struct settings_store *cs, const struct settings_lo
 	struct settings_zms *cf = CONTAINER_OF(cs, struct settings_zms, cf_store);
 	struct settings_zms_read_fn_arg read_fn_arg;
 	struct settings_hash_linked_list settings_element;
-	char name[SETTINGS_MAX_NAME_LEN + SETTINGS_EXTRA_LEN + 1];
+	char name[SETTINGS_FULL_NAME_LEN];
 	ssize_t rc1;
 	ssize_t rc2;
 	uint32_t ll_hash_id;
@@ -430,7 +433,7 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const
 {
 	struct settings_zms *cf = CONTAINER_OF(cs, struct settings_zms, cf_store);
 	struct settings_hash_linked_list settings_element;
-	char rdname[SETTINGS_MAX_NAME_LEN + SETTINGS_EXTRA_LEN + 1];
+	char rdname[SETTINGS_FULL_NAME_LEN];
 	uint32_t name_hash;
 	uint32_t collision_num = 0;
 	bool delete;
@@ -448,7 +451,7 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const
 	/* Find out if we are doing a delete */
 	delete = ((value == NULL) || (val_len == 0));
 
-	name_hash = sys_hash32(name, strlen(name)) & ZMS_HASH_MASK;
+	name_hash = sys_hash32(name, strnlen(name, SETTINGS_FULL_NAME_LEN)) & ZMS_HASH_MASK;
 	/* MSB is always 1 */
 	name_hash |= BIT(31);
 
@@ -601,7 +604,7 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const
 no_ll_update:
 #endif /* CONFIG_SETTINGS_ZMS_NO_LL_DELETE */
 		/* Now let's write the name */
-		rc = zms_write(&cf->cf_zms, name_hash, name, strlen(name));
+		rc = zms_write(&cf->cf_zms, name_hash, name, strnlen(name, SETTINGS_FULL_NAME_LEN));
 		if (rc < 0) {
 			return rc;
 		}
@@ -622,7 +625,7 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const
 static ssize_t settings_zms_get_val_len(struct settings_store *cs, const char *name)
 {
 	struct settings_zms *cf = CONTAINER_OF(cs, struct settings_zms, cf_store);
-	char r_name[SETTINGS_MAX_NAME_LEN + SETTINGS_EXTRA_LEN + 1];
+	char r_name[SETTINGS_FULL_NAME_LEN];
 	ssize_t rc = 0;
 	uint32_t name_hash;
 
@@ -631,7 +634,7 @@ static ssize_t settings_zms_get_val_len(struct settings_store *cs, const char *n
 		return -EINVAL;
 	}
 
-	name_hash = sys_hash32(name, strlen(name)) & ZMS_HASH_MASK;
+	name_hash = sys_hash32(name, strnlen(name, SETTINGS_FULL_NAME_LEN)) & ZMS_HASH_MASK;
 	for (int i = 0; i <= cf->hash_collision_num; i++) {
 		name_hash = ZMS_UPDATE_COLLISION_NUM(name_hash, i);
 		/* Get the name entry from ZMS */
