From 1bcabb893b9faa612ecd346ad6df53f39828e4ec Mon Sep 17 00:00:00 2001 From: Sylwester Date: Sat, 9 May 2026 20:32:42 +0200 Subject: [PATCH] mesh: bound the user-facing notification sprintf calls (#10437) Two sites built ClientNotification messages with sprintf into a fixed-size proto buffer with no length cap. The current format strings fit comfortably, but a future caller editing either format string without rechecking the buffer size would get a silent stack/heap overrun. Switch to snprintf with sizeof so the bound is enforced at the call site. Co-authored-by: Ben Meadors --- src/mesh/NodeDB.cpp | 2 +- src/mesh/Router.cpp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/mesh/NodeDB.cpp b/src/mesh/NodeDB.cpp index ac6880ade..ef07f68fd 100644 --- a/src/mesh/NodeDB.cpp +++ b/src/mesh/NodeDB.cpp @@ -1881,7 +1881,7 @@ bool NodeDB::updateUser(uint32_t nodeId, meshtastic_User &p, uint8_t channelInde meshtastic_ClientNotification *cn = clientNotificationPool.allocZeroed(); cn->level = meshtastic_LogRecord_Level_WARNING; cn->time = getValidTime(RTCQualityFromNet); - sprintf(cn->message, warning, p.long_name); + snprintf(cn->message, sizeof(cn->message), warning, p.long_name); service->sendClientNotification(cn); } return false; diff --git a/src/mesh/Router.cpp b/src/mesh/Router.cpp index ffeb7c539..197566899 100644 --- a/src/mesh/Router.cpp +++ b/src/mesh/Router.cpp @@ -329,7 +329,7 @@ ErrorCode Router::send(meshtastic_MeshPacket *p) cn->reply_id = p->id; cn->level = meshtastic_LogRecord_Level_WARNING; cn->time = getValidTime(RTCQualityFromNet); - sprintf(cn->message, "Duty cycle limit exceeded. You can send again in %d mins", silentMinutes); + snprintf(cn->message, sizeof(cn->message), "Duty cycle limit exceeded. You can send again in %d mins", silentMinutes); service->sendClientNotification(cn); meshtastic_Routing_Error err = meshtastic_Routing_Error_DUTY_CYCLE_LIMIT;