settings: zms: use the safe function strnlen instead of strlen

if the provided name in argument is not null this could lead to un
undefined behavior.
Use strnlen to make this safe

Signed-off-by: Riadh Ghaddab <rghaddab@baylibre.com>

Author: rghaddab

include/zephyr/settings/settings.h

@@ -45,6 +45,9 @@ extern "C" {
  */
 #define SETTINGS_EXTRA_LEN ((SETTINGS_MAX_DIR_DEPTH - 1) + 2)
 
+/* Maximum Settings name length including separators */
+#define SETTINGS_FULL_NAME_LEN ((SETTINGS_MAX_NAME_LEN) + (SETTINGS_EXTRA_LEN) + 1)
+
 /**
  * Function used to read the data from the settings storage in
  * h_set handler implementations.

subsys/settings/src/settings_zms.c

@@ -3,6 +3,9 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 
+#undef _POSIX_C_SOURCE
+#define _POSIX_C_SOURCE 200809L /* for strnlen() */
+
 #include <errno.h>
 #include <string.h>
 
@@ -169,12 +172,13 @@ static int settings_zms_load_subtree(struct settings_store *cs, const struct set
 {
 	struct settings_zms *cf = CONTAINER_OF(cs, struct settings_zms, cf_store);
 	struct settings_zms_read_fn_arg read_fn_arg;
-	char name[SETTINGS_MAX_NAME_LEN + SETTINGS_EXTRA_LEN + 1];
+	char name[SETTINGS_FULL_NAME_LEN];
 	ssize_t rc1;
 	ssize_t rc2;
 	uint32_t name_hash;
+	size_t name_len = strnlen(arg->subtree, SETTINGS_FULL_NAME_LEN);
 
-	name_hash = sys_hash32(arg->subtree, strlen(arg->subtree)) & ZMS_HASH_MASK;
+	name_hash = sys_hash32(arg->subtree, name_len) & ZMS_HASH_MASK;
 	for (int i = 0; i <= cf->hash_collision_num; i++) {
 		name_hash = ZMS_UPDATE_COLLISION_NUM(name_hash, i);
 		/* Get the name entry from ZMS */
@@ -214,17 +218,21 @@ static ssize_t settings_zms_load_one(struct settings_store *cs, const char *name
 				     size_t buf_len)
 {
 	struct settings_zms *cf = CONTAINER_OF(cs, struct settings_zms, cf_store);
-	char r_name[SETTINGS_MAX_NAME_LEN + SETTINGS_EXTRA_LEN + 1];
+	char r_name[SETTINGS_FULL_NAME_LEN];
 	ssize_t rc = 0;
 	uint32_t name_hash;
 	uint32_t value_id;
+	size_t name_len;
 
 	/* verify that name is not NULL */
 	if (!name || !buf) {
 		return -EINVAL;
 	}
 
-	name_hash = sys_hash32(name, strlen(name)) & ZMS_HASH_MASK;
+	/* get the name length */
+	name_len = strnlen(name, SETTINGS_FULL_NAME_LEN);
+
+	name_hash = sys_hash32(name, name_len) & ZMS_HASH_MASK;
 	for (int i = 0; i <= cf->hash_collision_num; i++) {
 		name_hash = ZMS_UPDATE_COLLISION_NUM(name_hash, i);
 		/* Get the name entry from ZMS */
@@ -260,7 +268,7 @@ static int settings_zms_load(struct settings_store *cs, const struct settings_lo
 	struct settings_zms *cf = CONTAINER_OF(cs, struct settings_zms, cf_store);
 	struct settings_zms_read_fn_arg read_fn_arg;
 	struct settings_hash_linked_list settings_element;
-	char name[SETTINGS_MAX_NAME_LEN + SETTINGS_EXTRA_LEN + 1];
+	char name[SETTINGS_FULL_NAME_LEN];
 	ssize_t rc1;
 	ssize_t rc2;
 	uint32_t ll_hash_id;
@@ -381,23 +389,27 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const
 {
 	struct settings_zms *cf = CONTAINER_OF(cs, struct settings_zms, cf_store);
 	struct settings_hash_linked_list settings_element;
-	char rdname[SETTINGS_MAX_NAME_LEN + SETTINGS_EXTRA_LEN + 1];
+	char rdname[SETTINGS_FULL_NAME_LEN];
 	uint32_t name_hash;
 	uint32_t collision_num = 0;
 	bool delete;
 	bool write_name;
 	bool hash_collision;
 	int rc = 0;
 	int first_available_hash_index = -1;
+	size_t name_len;
 
 	if (!name) {
 		return -EINVAL;
 	}
 
+	/* get the name length */
+	name_len = strnlen(name, SETTINGS_FULL_NAME_LEN);
+
 	/* Find out if we are doing a delete */
 	delete = ((value == NULL) || (val_len == 0));
 
-	name_hash = sys_hash32(name, strlen(name)) & ZMS_HASH_MASK;
+	name_hash = sys_hash32(name, name_len) & ZMS_HASH_MASK;
 	/* MSB is always 1 */
 	name_hash |= BIT(31);
 
@@ -421,7 +433,7 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const
 		 * name
 		 */
 		rdname[rc] = '\0';
-		if (!strcmp(name, rdname)) {
+		if ((rc == name_len) && !memcmp(name, rdname, rc)) {
 			/* Hash exist and the names are equal, we should
 			 * not write the names again.
 			 */
@@ -524,7 +536,7 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const
 no_ll_update:
 #endif /* CONFIG_SETTINGS_ZMS_NO_LL_DELETE */
 		/* Now let's write the name */
-		rc = zms_write(&cf->cf_zms, name_hash, name, strlen(name));
+		rc = zms_write(&cf->cf_zms, name_hash, name, name_len);
 		if (rc < 0) {
 			return rc;
 		}
@@ -535,16 +547,20 @@ static int settings_zms_save(struct settings_store *cs, const char *name, const
 static ssize_t settings_zms_get_val_len(struct settings_store *cs, const char *name)
 {
 	struct settings_zms *cf = CONTAINER_OF(cs, struct settings_zms, cf_store);
-	char r_name[SETTINGS_MAX_NAME_LEN + SETTINGS_EXTRA_LEN + 1];
+	char r_name[SETTINGS_FULL_NAME_LEN];
 	ssize_t rc = 0;
 	uint32_t name_hash;
+	size_t name_len;
 
 	/* verify that name is not NULL */
 	if (!name) {
 		return -EINVAL;
 	}
 
-	name_hash = sys_hash32(name, strlen(name)) & ZMS_HASH_MASK;
+	/* get the name length */
+	name_len = strnlen(name, SETTINGS_FULL_NAME_LEN);
+
+	name_hash = sys_hash32(name, name_len) & ZMS_HASH_MASK;
 	for (int i = 0; i <= cf->hash_collision_num; i++) {
 		name_hash = ZMS_UPDATE_COLLISION_NUM(name_hash, i);
 		/* Get the name entry from ZMS */