The code above sets nul character at the sz element of message which is calculated as token pointer difference + 4. It should place nul character one sign earlier. If buffer ends exactly at the tokenEnd + 3 this means writing outside of buffer.
In a rare error event it could even replace $ of the next message with nul character. It should be checked earlier in code
In
pa6h
sensorhub driver it is possible that nul-terminating messages at the end ofpa6h_receiver()
:https://github.com/phoenix-rtos/phoenix-rtos-devices/blob/acb0abfed72acc2611e6a69a41efb20a5fdac34e/sensors/gps/pa6h.c#L186-L188
sz
element of message which is calculated as token pointer difference + 4. It should place nul character one sign earlier. If buffer ends exactly at thetokenEnd + 3
this means writing outside of buffer.$
of the next message with nul character. It should be checked earlier in codeI am self assigning this issue to not lose it.