From 7ff6641f97d060ed548d5dc8b0f6e6f74207207a Mon Sep 17 00:00:00 2001
From: Dirk Mueller <dirk@dmllr.de>
Date: Tue, 12 May 2026 13:26:13 +0200
Subject: [PATCH] Fix missing potential null termination in xmodem filename
 handling (#10308)

* Fix missing potential null termination in xmodem filename handling

The packet size max is 128 bytes, and the filename is 128 bytes, so
potentially there is no NUL at the end. use strlcpy() as that takes
care of null termination even if buffer size is exceeded.

* Protect against theoretical buffer overflows in BLE logging

---------

Co-authored-by: Ben Meadors <benmmeadors@gmail.com>
---
 src/RedirectablePrint.cpp | 4 ++--
 src/xmodem.cpp            | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/RedirectablePrint.cpp b/src/RedirectablePrint.cpp
index 9450f8990..2d6cc13ec 100644
--- a/src/RedirectablePrint.cpp
+++ b/src/RedirectablePrint.cpp
@@ -230,9 +230,9 @@ void RedirectablePrint::log_to_ble(const char *logLevel, const char *format, va_
             auto thread = concurrency::OSThread::currentThread;
             meshtastic_LogRecord logRecord = meshtastic_LogRecord_init_zero;
             logRecord.level = getLogLevel(logLevel);
-            vsprintf(logRecord.message, format, arg);
+            vsnprintf(logRecord.message, sizeof(logRecord.message), format, arg);
             if (thread)
-                strcpy(logRecord.source, thread->ThreadName.c_str());
+                strlcpy(logRecord.source, thread->ThreadName.c_str(), sizeof(logRecord.source));
             logRecord.time = getValidTime(RTCQuality::RTCQualityDevice, true);
 
             auto buffer = std::unique_ptr<uint8_t[]>(new uint8_t[meshtastic_LogRecord_size]);
diff --git a/src/xmodem.cpp b/src/xmodem.cpp
index 1d8c77760..596732975 100644
--- a/src/xmodem.cpp
+++ b/src/xmodem.cpp
@@ -119,7 +119,8 @@ void XModemAdapter::handlePacket(meshtastic_XModem xmodemPacket)
     case meshtastic_XModem_Control_STX:
         if ((xmodemPacket.seq == 0) && !isReceiving && !isTransmitting) {
             // NULL packet has the destination filename
-            memcpy(filename, &xmodemPacket.buffer.bytes, xmodemPacket.buffer.size);
+            strncpy(filename, (const char *)xmodemPacket.buffer.bytes, sizeof(filename) - 1);
+            filename[sizeof(filename) - 1] = '\0';
 
             if (xmodemPacket.control == meshtastic_XModem_Control_SOH) { // Receive this file and put to Flash
                 spiLock->lock();