mesh: bound the user-facing notification sprintf calls (#10437)

Two sites built ClientNotification messages with sprintf into a fixed-size proto buffer with no length cap. The current format strings fit comfortably, but a future caller editing either format string without rechecking the buffer size would get a silent stack/heap overrun. Switch to snprintf with sizeof so the bound is enforced at the call site. Co-authored-by: Ben Meadors <benmmeadors@gmail.com>
2026-05-19 06:14:12 -04:00 · 2026-05-09 20:32:42 +02:00
parent fefd424901
commit 1bcabb893b
2 changed files with 2 additions and 2 deletions
--- a/src/mesh/NodeDB.cpp
+++ b/src/mesh/NodeDB.cpp
@@ -1881,7 +1881,7 @@ bool NodeDB::updateUser(uint32_t nodeId, meshtastic_User &p, uint8_t channelInde
                meshtastic_ClientNotification *cn = clientNotificationPool.allocZeroed();
                cn->level = meshtastic_LogRecord_Level_WARNING;
                cn->time = getValidTime(RTCQualityFromNet);
-                sprintf(cn->message, warning, p.long_name);
+                snprintf(cn->message, sizeof(cn->message), warning, p.long_name);
                service->sendClientNotification(cn);
            }
            return false;
--- a/src/mesh/Router.cpp
+++ b/src/mesh/Router.cpp
@@ -329,7 +329,7 @@ ErrorCode Router::send(meshtastic_MeshPacket *p)
            cn->reply_id = p->id;
            cn->level = meshtastic_LogRecord_Level_WARNING;
            cn->time = getValidTime(RTCQualityFromNet);
-            sprintf(cn->message, "Duty cycle limit exceeded. You can send again in %d mins", silentMinutes);
+            snprintf(cn->message, sizeof(cn->message), "Duty cycle limit exceeded. You can send again in %d mins", silentMinutes);
            service->sendClientNotification(cn);

            meshtastic_Routing_Error err = meshtastic_Routing_Error_DUTY_CYCLE_LIMIT;