dbStatic record print routines may corrupt memory

Bug #1462214 reported by Ralph Lange on 2015-06-05
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ralph Lange

Bug Description

Raising the link field length from 80 to 256 (revision 12663) introduced a bug in the record printing routines.

Debugging and record dumping routines use dbGetString() from dbStaticLib.c to get field values into a message structure that is written to the console afterwards.
In that routine, the fixed size buffer (#define messagesize 100) in the message structure is filled using strcpy() and sprintf(%s) without restricting the number of characters being written into the buffer.

This leads to memory corruption and possibly segfaults/crashes when using 'dbpr' on a record that contains link fields using more than the original 80 characters.

Related branches

Ralph Lange (ralph-lange) wrote :

Will push a fix that simply extends that local buffer in the same fashion (max link field length + 20, as before).

It would actually be better to fix all the strcpy() to strncpy(), but with the different sprintf() format strings for each link type (where the max length for the %s would have to be calculated for each instance) things just get too messy, and I much prefer the simple fix.

In 3.16, where the link field length is not restricted, this code has to be re-engineered anyway.

Andrew Johnson (anj) wrote :

Patch added to Known Problems page.

Changed in epics-base:
status: New → Fix Committed
mdavidsaver (mdavidsaver) wrote :

The fix for 3.15 doesn't resolve the issue for the 3.16 branch as the link string size limit is removed entirely.

mdavidsaver (mdavidsaver) wrote :

Fix for 3.16 branch committed.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers