Potential fix for code scanning alert no. 19: Potentially overflowing call to snprintf

.github/workflows/build-rootfs.yml

@@ -3,6 +3,7 @@
 name: z-wave-protocol-controller Build in rootfs for arch
 
 on:  # yamllint disable-line rule:truthy
+  # pull_request_target: # Avoid to prevent CodeQL CWE-829
   push:
     tags:
       - '*'
@@ -18,6 +19,9 @@ jobs:
           - arm64
           # - armhf # TODO Enable when supported
     steps:
+      - name: Security check
+        if: ${{ github.event.action == 'pull_request_target'}}
+        run: echo "Prevent running (CodeQL CWE-829)" && exit 1
       # yamllint disable-line rule:line-length
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:

.github/workflows/build.yml

@@ -6,6 +6,8 @@
 name: build
 
 on:  # yamllint disable-line rule:truthy
+  pull_request:
+  # pull_request_target: # Avoid to prevent CodeQL CWE-829
   push:
 
 jobs:
@@ -16,6 +18,9 @@ jobs:
       project-name: z-wave-protocol-controller  # Align to docker (lowercase)
     runs-on: ubuntu-22.04
     steps:
+      - name: Security check
+        if: ${{ github.event.action == 'pull_request_target'}}
+        run: echo "Prevent running (CodeQL CWE-829)" && exit 1
       # yamllint disable-line rule:line-length
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:

.github/workflows/test.yml

@@ -9,6 +9,7 @@ name: test
 run-name: "test: ${{ github.event.workflow_run.head_branch }}#${{ github.event.workflow_run.head_commit.id }}"
 
 on:  # yamllint disable-line rule:truthy
+  # pull_request_target: # Avoid to prevent CodeQL CWE-829
   workflow_run:
     workflows: ["build"]
     types:
@@ -17,20 +18,23 @@ on:  # yamllint disable-line rule:truthy
 jobs:
   test:
     permissions:
+      actions: read
       contents: read
       statuses: write
     env:
       project-name: z-wave-protocol-controller  # Align to docker (lowercase)
     runs-on: ubuntu-24.04
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
     steps:
+      - name: Security check
+        if: ${{ github.event.action == 'pull_request_target'}}
+        run: echo "Prevent running (CodeQL CWE-829)" && exit 1
       - name: Download image
         # yamllint disable-line rule:line-length
         uses: ishworkh/container-image-artifact-download@ccb3671db007622e886a2d7037eb62b119d5ffaf  # v2.0.0
         with:
           image: "${{ env.project-name }}:latest"
           workflow: "build"
-          token: ${{ secrets.GH_SL_ACCESS_TOKEN }}
           workflow_run_id: ${{ github.event.workflow_run.id }}
 
       # yamllint disable-line rule:line-length

applications/zpc/applications/zwave_api_demo/src/zwave_api_demo_callbacks.c

@@ -305,12 +305,21 @@ void zwapi_demo_zwave_api_started(const uint8_t *buffer, uint8_t buffer_length)
   char message[MAXIMUM_MESSAGE_SIZE];
   uint8_t index = 0;
 
-  index += snprintf(message + index,
-                    sizeof(message) - index,
-                    "Z-Wave API started. Current NIF: ");
+  int n = snprintf(message + index,
+                   sizeof(message) - index,
+                   "Z-Wave API started. Current NIF: ");
+  if (n < 0 || n >= (int)(sizeof(message) - index)) {
+    sl_log_error(LOG_TAG, "Buffer overflow prevented while writing message.");
+    return;
+  }
+  index += n;
   for (uint8_t i = 0; i < buffer_length; i++) {
-    index
-      += snprintf(message + index, sizeof(message) - index, "%02X ", buffer[i]);
+    n = snprintf(message + index, sizeof(message) - index, "%02X ", buffer[i]);
+    if (n < 0 || n >= (int)(sizeof(message) - index)) {
+      sl_log_error(LOG_TAG, "Buffer overflow prevented while writing message.");
+      return;
+    }
+    index += n;
   }
   sl_log_info(LOG_TAG, "%s\n", message);
 }

applications/zpc/components/zwave/zwave_rx/src/zwave_rx.c

@@ -11,6 +11,7 @@
  *
  *****************************************************************************/
 //Generic includes
+#include <assert.h>
 #include <stdlib.h>
 
 // Includes from other components
@@ -89,11 +90,18 @@ static void zwave_rx_print_protocol_version(
   char git_commit_string[GIT_COMMIT_HASH_SIZE * 2 + 1] = {0};
   uint16_t index                                       = 0;
   for (uint8_t i = 0; i < GIT_COMMIT_HASH_SIZE; i++) {
-    index += snprintf(git_commit_string + index,
-                      sizeof(git_commit_string) - index,
-                      "%x",
-                      zwapi_version.git_commit[i]);
-  }
+    int written = snprintf(git_commit_string + index,
+                     sizeof(git_commit_string) - index,
+                     "%x",
+                     zwapi_version.git_commit[i]);
+    if (written < 0 || written >= (int)(sizeof(git_commit_string) - index)) {
+      sl_log_error(LOG_TAG, "Error in zwave_rx_print_protocol_version");
+      assert(false);
+      // Stop processing if snprintf fails or would overflow the buffer
+      break;
+    }
+   index += written;
+ }
 
   sl_log_info(LOG_TAG,
               "Z-Wave API protocol git commit: %s\n",

applications/zpc/components/zwave_api/src/zwapi_connection.c

@@ -50,14 +50,37 @@ static const char *zwapi_frame_to_string(const uint8_t *buffer,
       // Don't log the SOF byte.
       continue;
     } else if (i == 1) {
-      index += snprintf(message + index, sizeof(message) - index, "Length=");
+      {
+        int n = snprintf(message + index, sizeof(message) - index, "Length=");
+        if (n < 0 || n >= sizeof(message) - index) {
+          break;
+        }
+        index += n;
+      }
     } else if (i == 2) {
-      index += snprintf(message + index, sizeof(message) - index, "Type=");
+      {
+        int n = snprintf(message + index, sizeof(message) - index, "Type=");
+        if (n < 0 || n >= sizeof(message) - index) {
+          break;
+        }
+        index += n;
+      }
     } else if (i == 3) {
-      index += snprintf(message + index, sizeof(message) - index, "Cmd=");
+      {
+        int n = snprintf(message + index, sizeof(message) - index, "Cmd=");
+        if (n < 0 || n >= sizeof(message) - index) {
+          break;
+        }
+        index += n;
+      }
+    }
+    {
+      int n = snprintf(message + index, sizeof(message) - index, "%02X ", buffer[i]);
+      if (n < 0 || n >= sizeof(message) - index) {
+        break;
+      }
+      index += n;
     }
-    index
-      += snprintf(message + index, sizeof(message) - index, "%02X ", buffer[i]);
   }
   return message;
 }