system: readline: Improve security

system/readline/readline_common.c

@@ -144,6 +144,7 @@ static int count_builtin_matches(FAR char *buf, FAR int *matches, int namelen)
  *   vtbl   - vtbl used to access implementation specific interface
  *   buf     - The user allocated buffer to be filled.
  *   buflen  - the size of the buffer.
+ *   nch     - the number of characters.
  *
  * Returned Value:
  *   None.
@@ -152,7 +153,7 @@ static int count_builtin_matches(FAR char *buf, FAR int *matches, int namelen)
 
 #ifdef CONFIG_READLINE_TABCOMPLETION
 static void tab_completion(FAR struct rl_common_s *vtbl, char *buf,
-                           int *nch)
+                           int buflen, int *nch)
 {
   FAR const char *name = NULL;
   char tmp_name[CONFIG_TASK_NAME_SIZE + 1];
@@ -271,7 +272,7 @@ static void tab_completion(FAR struct rl_common_s *vtbl, char *buf,
 
               if (tmp_name[0] == '\0')
                 {
-                  strcpy(tmp_name, name);
+                  strncpy(tmp_name, name, sizeof(tmp_name) - 1);
                 }
 
               RL_PUTC(vtbl, ' ');
@@ -306,7 +307,7 @@ static void tab_completion(FAR struct rl_common_s *vtbl, char *buf,
 
               if (tmp_name[0] == '\0')
                 {
-                  strcpy(tmp_name, name);
+                  strncpy(tmp_name, name, sizeof(tmp_name) - 1);
                 }
 
               RL_PUTC(vtbl, ' ');
@@ -329,7 +330,7 @@ static void tab_completion(FAR struct rl_common_s *vtbl, char *buf,
               RL_PUTC(vtbl, '\n');
             }
 #endif
-          strcpy(buf, tmp_name);
+          strncpy(buf, tmp_name, buflen - 1);
 
           name_len = strlen(tmp_name);
 
@@ -729,7 +730,7 @@ ssize_t readline_common(FAR struct rl_common_s *vtbl, FAR char *buf, int buflen)
 #ifdef CONFIG_READLINE_TABCOMPLETION
      else if (ch == '\t') /* Nghia - TAB character */
         {
-          tab_completion(vtbl, buf, &nch);
+          tab_completion(vtbl, buf, buflen, &nch);
         }
 #endif
     }