z_tx: Harden zwave_tx_queue.cpp by checking snprintf

rzr · github-advanced-security[bot] · rzr · commit f1edfa8747c9 · 2025-05-27T15:24:40.000+02:00
Checking snprintf results, reminder : If the output was truncated due to this limit, then the return value is the number of characters (excluding the terminating null byte) which would have been written to the final string if enough space had been available This was found using CodeQL: Potential fix for code scanning alert no. 16: Potentially overflowing call to snprintf Relate-to: SiliconLabsSoftware#100 Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> Signed-off-by: Philippe Coval <philippe.coval@silabs.com>
diff --git a/applications/zpc/components/zwave/zwave_tx/src/zwave_tx_queue.cpp b/applications/zpc/components/zwave/zwave_tx/src/zwave_tx_queue.cpp
@@ -21,6 +21,7 @@
 #include "sl_log.h"
 
 // Generic includes
+#include <assert.h>
 #include <string.h>  // Using memcpy
 #include <cstdio>    // snprintf
 
@@ -403,52 +404,93 @@ void zwave_tx_queue::log_element(const zwave_tx_session_id_t session_id,
 void zwave_tx_queue::simple_log(zwave_tx_queue_element_t *e) const
 {
   uint16_t index = 0;
-  index += snprintf(message + index,
-                    sizeof(message) - index,
-                    "Enqueuing new frame (id=%p)",
-                    e->zwave_tx_session_id);
+  int written    = snprintf(message + index,
+                         sizeof(message) - index,
+                         "Enqueuing new frame (id=%p)",
+                         e->zwave_tx_session_id);
+  if (written < 0 || written >= static_cast<int>(sizeof(message) - index)) {
+    assert(false);
+    sl_log_error(LOG_TAG, "Overflow in zwave_tx_queue::simple_log\n");
+    return;
+  }
+  index += written;
 
   if (e->options.transport.valid_parent_session_id == true) {
-    index += snprintf(message + index,
-                      sizeof(message) - index,
-                      " (parent id=%p)",
-                      e->options.transport.parent_session_id);
+    written = snprintf(message + index,
+                       sizeof(message) - index,
+                       " (parent id=%p)",
+                       e->options.transport.parent_session_id);
+    if (written < 0 || written >= static_cast<int>(sizeof(message) - index)) {
+      assert(false);
+      sl_log_error(LOG_TAG, "Overflow in zwave_tx_queue::simple_log\n");
+      return;
+    }
+    index += written;
   }
 
   // Source address
-  index += snprintf(message + index,
-                    sizeof(message) - index,
-                    " - %d:%d -> ",
-                    e->connection_info.local.node_id,
-                    e->connection_info.local.endpoint_id);
+  written = snprintf(message + index,
+                     sizeof(message) - index,
+                     " - %d:%d -> ",
+                     e->connection_info.local.node_id,
+                     e->connection_info.local.endpoint_id);
+  if (written < 0 || written >= static_cast<int>(sizeof(message) - index)) {
+    assert(false);
+    sl_log_error(LOG_TAG, "Overflow in zwave_tx_queue::simple_log\n");
+    return;
+  }
+  index += written;
 
   // Destination
   if (e->connection_info.remote.is_multicast == false) {
-    index += snprintf(message + index,
-                      sizeof(message) - index,
-                      " %d:%d - ",
-                      e->connection_info.remote.node_id,
-                      e->connection_info.remote.endpoint_id);
+    written = snprintf(message + index,
+                       sizeof(message) - index,
+                       " %d:%d - ",
+                       e->connection_info.remote.node_id,
+                       e->connection_info.remote.endpoint_id);
+    if (written < 0 || written >= static_cast<int>(sizeof(message) - index)) {
+      assert(false);
+      sl_log_error(LOG_TAG, "Overflow in zwave_tx_queue::simple_log\n");
+      return;
+    }
+    index += written;
+
   } else {
-    index += snprintf(message + index,
-                      sizeof(message) - index,
-                      "Group ID %d (endpoint=%d) - ",
-                      e->connection_info.remote.multicast_group,
-                      e->connection_info.remote.endpoint_id);
+    written = snprintf(message + index,
+                       sizeof(message) - index,
+                       "Group ID %d (endpoint=%d) - ",
+                       e->connection_info.remote.multicast_group,
+                       e->connection_info.remote.endpoint_id);
+    if (written < 0 || written >= static_cast<int>(sizeof(message) - index)) {
+      assert(false);
+      sl_log_error(LOG_TAG, "Overflow in zwave_tx_queue::simple_log\n");
+      return;
+    }
+    index += written;
   }
 
   // Encapsulation & payload
-  index += snprintf(message + index,
-                    sizeof(message) - index,
-                    "Encapsulation %d - Payload (%d bytes) [",
-                    e->connection_info.encapsulation,
-                    e->data_length);
+  written = snprintf(message + index,
+                     sizeof(message) - index,
+                     "Encapsulation %d - Payload (%d bytes) [",
+                     e->connection_info.encapsulation,
+                     e->data_length);
+  if (written < 0 || written >= static_cast<int>(sizeof(message) - index)) {
+    assert(false);
+    sl_log_error(LOG_TAG, "Overflow in zwave_tx_queue::simple_log\n");
+    return;
+  }
+  index += written;
 
   for (uint16_t i = 0; i < e->data_length; i++) {
-    index += snprintf(message + index,
-                      sizeof(message) - index,
-                      "%02X ",
-                      e->data[i]);
+    written
+      = snprintf(message + index, sizeof(message) - index, "%02X ", e->data[i]);
+    if (written < 0 || written >= static_cast<int>(sizeof(message) - index)) {
+      assert(false);
+      sl_log_error(LOG_TAG, "Overflow in zwave_tx_queue::simple_log\n");
+      return;
+    }
+    index += written;
   }
   sl_log_debug(LOG_TAG, "%s] - Tx Queue size: %d\n", message, queue.size());
 }
