Skip to content

app: Fix stack corruption with binary to hex conversion#173

Merged
MarkusLassila merged 1 commit into
nrfconnect:mainfrom
MarkusLassila:fix-stack-corruption
Feb 10, 2026
Merged

app: Fix stack corruption with binary to hex conversion#173
MarkusLassila merged 1 commit into
nrfconnect:mainfrom
MarkusLassila:fix-stack-corruption

Conversation

@MarkusLassila

@MarkusLassila MarkusLassila commented Feb 9, 2026

Copy link
Copy Markdown
Contributor

sm_util_htoa used sprintf to convert from binary to hex.
With data sizes exceeding the buffer, the null-character was
written beyond allocated space. In this particular case the
socket pointer was corrupted.

sm_util_htoa and sm_util_atoh replaced with bin2hex and hex2bin.

Jira: SM-245

Comment thread app/src/sm_util.c
}

for (int i = 0; i < hex_len; i++) {
sprintf(ascii + (i * 2), "%02X", *(hex + i));

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This caused the stack corruption. When filling the whole buffer, the terminating null-character was written beyond the buffer.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a stack corruption issue caused by sprintf writing a '\0' past the end of the destination buffer during binary↔hex conversions, and updates call sites accordingly.

Changes:

  • Reworked binary-to-hex and hex-to-binary conversion helpers and renamed the APIs.
  • Tightened hex-string validation and replaced sprintf/strncpy/strtoul conversions with manual nibble conversion.
  • Updated socket and carrier codepaths to use the new conversion helpers and buffers.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.

File Description
app/src/sm_util.h Renames/clarifies hex helpers and updates API documentation.
app/src/sm_util.c Replaces sprintf-based conversion with manual conversion and updates validation.
app/src/sm_at_socket.c Switches socket send paths to use the new bin2hex/hex2bin helpers.
app/src/lwm2m_carrier/sm_at_carrier.c Switches carrier app-data paths to the new conversion helpers and variable naming.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread app/src/sm_util.c Outdated
Comment thread app/src/sm_util.c Outdated
Comment thread app/src/sm_util.c Outdated
Comment thread app/src/sm_at_socket.c Outdated
Comment thread app/src/lwm2m_carrier/sm_at_carrier.c Outdated
@MarkusLassila MarkusLassila marked this pull request as draft February 9, 2026 14:37
@MarkusLassila

Copy link
Copy Markdown
Contributor Author

Reworking this to use zephyr defaults.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread app/src/sm_at_socket.c Outdated
Comment thread app/src/sm_at_socket.c
Comment thread app/src/sm_at_socket.c Outdated
Comment thread app/src/sm_at_socket.c Outdated
Comment thread app/src/sm_at_socket.c Outdated
Comment thread app/src/lwm2m_carrier/sm_at_carrier.c Outdated
Comment thread app/src/sm_at_socket.c
@MarkusLassila MarkusLassila marked this pull request as ready for review February 10, 2026 12:46

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread app/src/sm_at_socket.c
int fd;
uint16_t mode;
int size;
size_t size;

Copilot AI Feb 10, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do_send() (per context) takes const uint8_t *data and an int len, but this code passes a const char * (str_ptr) and a size_t (size). This can trigger incompatible-pointer and narrowing conversion warnings and risks truncation if sizes ever exceed INT_MAX. Prefer keeping a const uint8_t *data_ptr for the payload buffer (cast once where needed), and either change do_send()/do_sendto() to accept size_t lengths or add an explicit, bounded cast at the call site.

Suggested change
size_t size;
int size;

Copilot uses AI. Check for mistakes.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

size to be dealt in later PR.

Comment thread app/src/sm_at_socket.c Outdated
Comment thread app/src/sm_at_socket.c Outdated
Comment thread app/src/lwm2m_carrier/sm_at_carrier.c Outdated
@MarkusLassila

Copy link
Copy Markdown
Contributor Author

@kacperradoszewski: We have to merge this today. Feel free to comment later on the sm_at_carrier.c parts.

sm_util_htoa used sprintf to convert from binary to hex.
With data sizes exceeding the buffer, the null-character was
written beyond allocated space. In this particular case the
socket pointer was corrupted.

sm_util_htoa and sm_util_atoh replaced with bin2hex and hex2bin.

Signed-off-by: Markus Lassila <markus.lassila@nordicsemi.no>
@kacperradoszewski

Copy link
Copy Markdown

@kacperradoszewski: We have to merge this today. Feel free to comment later on the sm_at_carrier.c parts.

Sorry, had to prioritize other stuff today. I did a quick sanity check now and everything seemed ok 👍

@MarkusLassila MarkusLassila merged commit ee0284b into nrfconnect:main Feb 10, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants