MAX_FIELD_NAME_LENGTH overrun in dbFindField

Bug #541289 reported by Andrew Johnson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
EPICS Base
Fix Released
Medium
Andrew Johnson

Bug Description

From Jane Richards/Rolf Keitel:

Hi,

 Suffice to say that serendipity played a big part - but we now have a definitive way to crash our Intel iocs (PC104 and VME based Pentium) using EPICS R3.13.10 and R3.14.6. Both architectures run VxWorks 5.5.1:

A channel access client (we have used dm, edm and caget) which asks for a PV that is composed of a valid record name and an (invalid) field name of greater than 19 characters crashes the CA_UDP task. A buffer overflow occurs in the dbStaticLib.c function dbFindField.

Our Motorola MV162s do not crash.

We have identified the offending code as follows (MAX_FIELD_NAME_LENGTH is defined as 20):

> long epicsShareAPI dbFindField(DBENTRY *pdbentry,const char *pname)
> {
> dbRecordType *precordType = pdbentry->precordType;
> dbRecordNode *precnode = pdbentry->precnode;
> char *precord;
> dbFldDes *pflddes;
> short top, bottom, test;
> char **papsortFldName;
> short *sortFldInd;
> int compare,ind;
> char fieldName[MAX_FIELD_NAME_LENGTH];
> char *pfieldName;
>
> if(!precordType) return(S_dbLib_recordTypeNotFound);
> if(!precnode) return(S_dbLib_recNotFound);
> precord = precnode->precord;
> papsortFldName = precordType->papsortFldName;
> sortFldInd = precordType->sortFldInd;
> /*copy field name. Stop at null or blank or tab*/
> pfieldName = &fieldName[0];
> for(ind=0; ind<MAX_FIELD_NAME_LENGTH; ind++) {
> if(*pname=='\0' || *pname==' ' || *pname=='\t') break;
> *pfieldName++ = *pname++;
> }
> *pfieldName = '\0'; /* This is beyond the end of the fieldName[] */
> pfieldName = &fieldName[0];

Jane and Rolf

Version: R3.14.8.2

Original Mantis Bug: mantis-256
    http://www.aps.anl.gov/epics/mantis/view_bug_page.php?f_id=256

Revision history for this message
Andrew Johnson (anj) wrote :

Bug acknowledged and confirmed, although I can't reproduce the crash here because I don't have a vxWorks-pentium system and this doesn't kill a linux-x86 IOC.

I'd like to get rid of MAX_FIELD_NAME_LENGTH completely from dbStaticLib.c, but for now the fix that I've committed is to increase the size allocated for the fieldName[] array by 1.

Revision history for this message
Andrew Johnson (anj) wrote :

R3.14.9 Released.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.