fix: use bounded strlcpy/snprintf in process_message.c

[orbisai0security]

Summary

Fix critical severity security issue in db/process_message.c.

Vulnerability

Field	Value
ID	V-001
Severity	CRITICAL
Scanner	multi_agent_ai
Rule	V-001
File	db/process_message.c:1427
Assessment	Confirmed exploitable

Description: The process_message.c file uses strcpy at line 1427 to copy a token (tok) into a buffer (zCtx) without any bounds checking. The tok variable comes from parsing incoming messages via strtok_r(), and its length is not validated before the copy. If an attacker sends a message with an oversized token, this will overflow the zCtx buffer, potentially overwriting adjacent memory including return addresses or function pointers.

Evidence

Exploitation scenario: An attacker sends a crafted message to the database process_message handler containing a token longer than the zCtx buffer size.

Scanner confirmation: multi_agent_ai rule V-001 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Changes

• db/process_message.c

Verification

• Build passes
• Scanner re-scan confirms fix
• LLM code review passed

Security Invariant

Property: The security boundary is maintained under adversarial input

Regression test

#include <check.h>
#include <stdlib.h>
#include <string.h>
#include <setjmp.h>
#include <signal.h>

extern void process_message(const char *message);

static jmp_buf jump_buffer;
static void segfault_handler(int sig) {
    longjmp(jump_buffer, 1);
}

START_TEST(test_message_processing_memory_safety)
{
    // Invariant: process_message must not corrupt memory or crash regardless of input size
    const char *payloads[] = {
        "NORMAL_TOKEN",
        "A",
        "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA",
        "TOKEN1 TOKEN2 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
    };
    int num_payloads = sizeof(payloads) / sizeof(payloads[0]);

    signal(SIGSEGV, segfault_handler);
    signal(SIGABRT, segfault_handler);

    for (int i = 0; i < num_payloads; i++) {
        if (setjmp(jump_buffer) == 0) {
            process_message(payloads[i]);
            ck_assert_msg(1, "Message processed without crash");
        } else {
            ck_abort_msg("Memory corruption detected: process_message crashed on payload %d", i);
        }
    }

    signal(SIGSEGV, SIG_DFL);
    signal(SIGABRT, SIG_DFL);
}
END_TEST

Suite *security_suite(void)
{
    Suite *s;
    TCase *tc_core;

    s = suite_create("Security");
    tc_core = tcase_create("Core");

    tcase_add_test(tc_core, test_message_processing_memory_safety);
    suite_add_tcase(s, tc_core);

    return s;
}

int main(void)
{
    int number_failed;
    Suite *s;
    SRunner *sr;

    s = security_suite();
    sr = srunner_create(s);

    srunner_run_all(sr, CK_NORMAL);
    number_failed = srunner_ntests_failed(sr);
    srunner_free(sr);

    return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
}

This test guards against regressions — it's useful independent of the code change above.

---

Automated security fix by OrbisAI Security