Skip to content

security: replace sprintf/strcpy with bounds-checked variants #9601

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
weebl2000 wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

security: replace sprintf/strcpy with bounds-checked variants #9601

weebl2000 wants to merge 2 commits into from
+26 −20

Conversation

@weebl2000
Copy link
Contributor

@weebl2000 weebl2000 commented Feb 11, 2026
edited
Loading

Summary

  • Replaces unsafe sprintf calls with snprintf across multiple modules
  • Replaces unsafe strcpy calls with strncpy + null termination
  • Prevents potential buffer overflows from untrusted or variable-length input

Changes by file:

File Issue Fix
DetectionSensorModule.cpp sprintf into 40-byte buf with user-configurable sensor name (up to 20 bytes) snprintf(msg, 40, ...)
DropzoneModule.cpp sprintf with owner.short_name/long_name from mesh + weather data snprintf(buf, sizeof(buf), ...)
KeyVerificationModule.cpp 5x sprintf into ClientNotification message buffers snprintf(cn->message, sizeof(cn->message), ...)
NodeDB.cpp sprintf warning message with remote long_name (40 bytes) snprintf(cn->message, sizeof(cn->message), ...)
RedirectablePrint.cpp strcpy into 384-byte logRecord.message and 32-byte logRecord.source strncpy + null termination
FSCommon.cpp strcpy filesystem path into 228-byte fileInfo.file_name strncpy + null termination
NodeInfoModule.cpp strcpy node ID into 16-byte u.id strncpy + null termination

Background

MeshCore's security audit flagged widespread sprintf/strcpy usage without bounds checking. The same pattern exists in Meshtastic. While most buffers are sized adequately for typical data, user-configurable fields (sensor names, node names) and mesh-received data (owner names) could exceed buffer limits.

Test plan

  • Verify tbeam build succeeds
  • Verify detection sensor messages still send correctly
  • Verify dropzone conditions responses format correctly
  • Verify key verification UI notifications display correctly
  • Verify BLE log records don't truncate normal messages

@github-actions github-actions bot added needs-review Needs human review enhancement New feature or request labels Feb 11, 2026
@weebl2000 weebl2000 force-pushed the fix/sprintf-strcpy-bounds branch from 26e62a8 to af3610e Compare February 11, 2026 12:49
@weebl2000
security: replace sprintf/strcpy with bounds-checked variants
45797bc 
Replace unsafe sprintf calls with snprintf and strcpy with strncpy
across multiple modules to prevent potential buffer overflows from
untrusted or variable-length input data.

Affected files:
- DetectionSensorModule: user-configurable sensor name into fixed buf
- DropzoneModule: owner name and weather data formatting
- KeyVerificationModule: all client notification messages
- NodeDB: warning message with remote node long_name
- RedirectablePrint: log message and thread name into LogRecord
- FSCommon: filesystem path into FileInfo
- NodeInfoModule: node ID string into User struct
@weebl2000 weebl2000 force-pushed the fix/sprintf-strcpy-bounds branch from af3610e to 45797bc Compare February 11, 2026 12:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jorropo Jorropo Awaiting requested review from Jorropo

@jp-bennett jp-bennett Awaiting requested review from jp-bennett

Assignees

No one assigned

Labels

enhancement New feature or request needs-review Needs human review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@weebl2000 @thebentern