$ man strncpy
...
The strncpy() function is similar, except that at most n bytes of src are copied. Warning: If there is no null byte among the first n bytes of src, the string placed in dest will not be null-terminated.
If cmd is longer than COMMANDER_MAX_COMMAND_SIZE, strncpy will not terminate the string in tempBuff. The next function call to hasChar will continue reading the string until it finds a null character, thus reading past the end of tempBuff.
I have done some very limited testing and it seems that the byte immediately following tempBuff in memory happens to be 0x00 in my case. However, this is not guaranteed.
tempBuff[COMMANDER_MAX_COMMAND_SIZE - 1] == 0x39 // '9'
tempBuff[COMMANDER_MAX_COMMAND_SIZE] == 0x00 // past the end of the buffer!
Describe the bug https://github.com/dani007200964/Commander-API/blob/9d185dcbdbec260cebfd8d8f1204752a47d0b76a/src/Commander-API.cpp#L318-L320
If
cmd
is longer thanCOMMANDER_MAX_COMMAND_SIZE
,strncpy
will not terminate the string intempBuff
. The next function call tohasChar
will continue reading the string until it finds a null character, thus reading past the end oftempBuff
.I have done some very limited testing and it seems that the byte immediately following
tempBuff
in memory happens to be0x00
in my case. However, this is not guaranteed.A quick fix could be something like this:
However, this would result in a maximum command size of
COMMANDER_MAX_COMMAND_SIZE - 1
. If you wanted to keep the max command size, you would need to maketempBuff
1 byte longer. https://github.com/dani007200964/Commander-API/blob/9d185dcbdbec260cebfd8d8f1204752a47d0b76a/src/Commander-API.hpp#L258-L262 Warning: I have not actually tested this fix.