MAX_FIELD_NAME_LENGTH overrun in dbFindField
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
EPICS Base |
Fix Released
|
Medium
|
Andrew Johnson |
Bug Description
From Jane Richards/Rolf Keitel:
Hi,
Suffice to say that serendipity played a big part - but we now have a definitive way to crash our Intel iocs (PC104 and VME based Pentium) using EPICS R3.13.10 and R3.14.6. Both architectures run VxWorks 5.5.1:
A channel access client (we have used dm, edm and caget) which asks for a PV that is composed of a valid record name and an (invalid) field name of greater than 19 characters crashes the CA_UDP task. A buffer overflow occurs in the dbStaticLib.c function dbFindField.
Our Motorola MV162s do not crash.
We have identified the offending code as follows (MAX_FIELD_
> long epicsShareAPI dbFindField(DBENTRY *pdbentry,const char *pname)
> {
> dbRecordType *precordType = pdbentry-
> dbRecordNode *precnode = pdbentry->precnode;
> char *precord;
> dbFldDes *pflddes;
> short top, bottom, test;
> char **papsortFldName;
> short *sortFldInd;
> int compare,ind;
> char fieldName[
> char *pfieldName;
>
> if(!precordType) return(
> if(!precnode) return(
> precord = precnode->precord;
> papsortFldName = precordType-
> sortFldInd = precordType-
> /*copy field name. Stop at null or blank or tab*/
> pfieldName = &fieldName[0];
> for(ind=0; ind<MAX_
> if(*pname=='\0' || *pname==' ' || *pname=='\t') break;
> *pfieldName++ = *pname++;
> }
> *pfieldName = '\0'; /* This is beyond the end of the fieldName[] */
> pfieldName = &fieldName[0];
Jane and Rolf
Version: R3.14.8.2
Original Mantis Bug: mantis-256
http://
Bug acknowledged and confirmed, although I can't reproduce the crash here because I don't have a vxWorks-pentium system and this doesn't kill a linux-x86 IOC.
I'd like to get rid of MAX_FIELD_ NAME_LENGTH completely from dbStaticLib.c, but for now the fix that I've committed is to increase the size allocated for the fieldName[] array by 1.