mirror of
https://github.com/RT-Thread/rt-thread.git
synced 2025-02-22 01:05:20 +08:00
a5b26bb588
[Problem Description] When assigning name to rt_object, strncpy() uses size equal to RT_NAME_MAX, which causes missing null-terminator and overflows into adjacent 'type' field. This corruption leads to unexpected system behavior. [Problem Analysis] The rt_object structure defines: | char name[RT_NAME_MAX] | -> buffer | rt_uint8_t type | -> adjacent field Original code calculates size as: size = end - first + 1; if (size > RT_NAME_MAX) size = RT_NAME_MAX; When size equals RT_NAME_MAX, strncpy() will copy exactly RT_NAME_MAX bytes without adding terminating '\0', causing two issues: 1. name buffer is not null-terminated 2. The implicit null-byte writes beyond name[] into type field [Solution] Change boundary check from: if (size > RT_NAME_MAX) size = RT_NAME_MAX; to: if (size >= RT_NAME_MAX) size = RT_NAME_MAX - 1; This ensures: 1. Always leaves space for null-terminator 2. Prevents overflow into type field 3. Maintains maximum valid name length (RT_NAME_MAX-1 + '\0') Signed-off-by: Liu Gui <kenneth.liu@sophgo.com>