dbStatic record print routines may corrupt memory

Bug #1462214 reported by Ralph Lange on 2015-06-05
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
EPICS Base
Critical
mdavidsaver
3.15
Critical
Ralph Lange
3.16
Critical
mdavidsaver

Bug Description

Raising the link field length from 80 to 256 (revision 12663) introduced a bug in the record printing routines.

Debugging and record dumping routines use dbGetString() from dbStaticLib.c to get field values into a message structure that is written to the console afterwards.
In that routine, the fixed size buffer (#define messagesize 100) in the message structure is filled using strcpy() and sprintf(%s) without restricting the number of characters being written into the buffer.

This leads to memory corruption and possibly segfaults/crashes when using 'dbpr' on a record that contains link fields using more than the original 80 characters.

Related branches

Ralph Lange (ralph-lange) wrote :

Will push a fix that simply extends that local buffer in the same fashion (max link field length + 20, as before).

It would actually be better to fix all the strcpy() to strncpy(), but with the different sprintf() format strings for each link type (where the max length for the %s would have to be calculated for each instance) things just get too messy, and I much prefer the simple fix.

In 3.16, where the link field length is not restricted, this code has to be re-engineered anyway.

Andrew Johnson (anj) wrote :

Patch added to Known Problems page.

Changed in epics-base:
status: New → Fix Committed
mdavidsaver (mdavidsaver) wrote :

The fix for 3.15 doesn't resolve the issue for the 3.16 branch as the link string size limit is removed entirely.

mdavidsaver (mdavidsaver) wrote :

Fix for 3.16 branch committed.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers