mirror of
https://github.com/RT-Thread/rt-thread.git
synced 2025-02-24 09:50:34 +08:00
a5b26bb588
[Problem Description] When assigning name to rt_object, strncpy() uses size equal to RT_NAME_MAX, which causes missing null-terminator and overflows into adjacent 'type' field. This corruption leads to unexpected system behavior. [Problem Analysis] The rt_object structure defines: | char name[RT_NAME_MAX] | -> buffer | rt_uint8_t type | -> adjacent field Original code calculates size as: size = end - first + 1; if (size > RT_NAME_MAX) size = RT_NAME_MAX; When size equals RT_NAME_MAX, strncpy() will copy exactly RT_NAME_MAX bytes without adding terminating '\0', causing two issues: 1. name buffer is not null-terminated 2. The implicit null-byte writes beyond name[] into type field [Solution] Change boundary check from: if (size > RT_NAME_MAX) size = RT_NAME_MAX; to: if (size >= RT_NAME_MAX) size = RT_NAME_MAX - 1; This ensures: 1. Always leaves space for null-terminator 2. Prevents overflow into type field 3. Maintains maximum valid name length (RT_NAME_MAX-1 + '\0') Signed-off-by: Liu Gui <kenneth.liu@sophgo.com>
This folder provides functions that are not part of the standard C library but are part of the POSIX.1 (IEEE Standard 1003.1) standard.
NOTE
- For consistency of compilation results across the different of platforms(gcc, keil, iar) , use:
#include <sys/time.h>to instead of#include <time.h>#include <sys/errno.h>to instead of#include <errno.h>#include <sys/signal.h>to instead of#include <signal.h>