From c6e39b8286ec5037041eedc01754b7690af11b70 Mon Sep 17 00:00:00 2001
From: xiao-77 <berylbao@taosdata.com>
Date: Tue, 26 Nov 2024 19:23:10 +0800
Subject: [PATCH] fix heap over flow at obj str.

---
 source/dnode/mnode/impl/src/mndConfig.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/source/dnode/mnode/impl/src/mndConfig.c b/source/dnode/mnode/impl/src/mndConfig.c
index e861f1c0e8..09754b8344 100644
--- a/source/dnode/mnode/impl/src/mndConfig.c
+++ b/source/dnode/mnode/impl/src/mndConfig.c
@@ -112,8 +112,9 @@ SSdbRaw *mnCfgActionEncode(SConfigObj *obj) {
     case CFG_DTYPE_CHARSET:
     case CFG_DTYPE_TIMEZONE:
       if (obj->str != NULL) {
-        SDB_SET_INT32(pRaw, dataPos, strlen(obj->str), _OVER)
-        SDB_SET_BINARY(pRaw, dataPos, obj->str, strlen(obj->str), _OVER)
+        int32_t len = strlen(obj->str) + 1;
+        SDB_SET_INT32(pRaw, dataPos, len, _OVER)
+        SDB_SET_BINARY(pRaw, dataPos, obj->str, len, _OVER)
       } else {
         SDB_SET_INT32(pRaw, dataPos, 0, _OVER)
       }
@@ -184,7 +185,7 @@ SSdbRow *mndCfgActionDecode(SSdbRaw *pRaw) {
     case CFG_DTYPE_TIMEZONE:
       SDB_GET_INT32(pRaw, dataPos, &len, _OVER)
       if (len > 0) {
-        obj->str = taosMemoryMalloc(len + 1);
+        obj->str = taosMemoryMalloc(len);
         SDB_GET_BINARY(pRaw, dataPos, obj->str, len, _OVER)
       }
       break;