zwave_api: Harden zwapi_protocol_rx_dispatch.c by checking snprintf

rzr · github-advanced-security[bot] · rzr · commit 7d28badfc931 · 2025-06-03T11:51:18.000+02:00
Checking snprintf results, reminder : If the output was truncated due to this limit, then the return value is the number of characters (excluding the terminating null byte) which would have been written to the final string if enough space had been available This was found using CodeQL: Potential fix for code scanning alert no. 23: Potentially overflowing call to snprintf Origin: SiliconLabsSoftware#118 Relate-to: SiliconLabsSoftware#100 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Philippe Coval <philippe.coval@silabs.com>
diff --git a/applications/zpc/components/zwave_api/src/zwapi_protocol_rx_dispatch.c b/applications/zpc/components/zwave_api/src/zwapi_protocol_rx_dispatch.c
@@ -12,6 +12,7 @@
  *****************************************************************************/
 
 // Generic includes
+#include <assert.h>
 #include <string.h>
 #include <stdio.h>
 
@@ -111,15 +112,28 @@ static const char *zwapi_frame_to_string(const uint8_t *buffer,
   static char message[1000] = {'\0'};
   uint16_t index            = 0;
   for (uint16_t i = 0; i < buffer_length; i++) {
+    int written = 0;
     if (i == IDX_LEN) {
-      index += snprintf(message + index, sizeof(message) - index, "Length=");
+      written = snprintf(message + index, sizeof(message) - index, "Length=");
     } else if (i == IDX_TYPE) {
-      index += snprintf(message + index, sizeof(message) - index, "Type=");
+      written = snprintf(message + index, sizeof(message) - index, "Type=");
     } else if (i == IDX_CMD) {
-      index += snprintf(message + index, sizeof(message) - index, "Cmd=");
+      written = snprintf(message + index, sizeof(message) - index, "Cmd=");
     }
-    index
-      += snprintf(message + index, sizeof(message) - index, "%02X ", buffer[i]);
+    if (written < 0 || written >= (int)(sizeof(message) - index)) {
+      assert(false);
+      sl_log_error(LOG_TAG, "Overflow in zwapi_frame_to_string\n");
+      return NULL;
+    }
+    index += written;
+    written
+      = snprintf(message + index, sizeof(message) - index, "%02X ", buffer[i]);
+    if (written < 0 || written >= (int)(sizeof(message) - index)) {
+      assert(false);
+      sl_log_error(LOG_TAG, "Overflow in zwapi_frame_to_string\n");
+      return NULL;
+    }
+    index += written;
   }
   return message;
 }
@@ -650,7 +664,7 @@ void zwave_api_protocol_rx_dispatch(uint8_t *pData, uint16_t len)
     case FUNC_ID_ZW_REQUEST_PROTOCOL_CC_ENCRYPTION:
       if (zwave_api_get_callbacks()->protocol_cc_encryption_request != NULL) {
         // ZW->HOST: REQ | 0x6C | destination_node_id | payload_length | payload | protocol_metadata_length | protocol_metadata | use_supervision | session_id
-        uint8_t current_index               = IDX_DATA;
+        uint8_t current_index = IDX_DATA;
         const zwave_node_id_t destination_node_id
           = zwapi_read_node_id(pData, &current_index);
         const uint8_t payload_length = pData[current_index++];
