Buffer overrun in dbpr with long INP field
Bug #1776141 reported by
Martin Konrad
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
EPICS Base | Status tracked in 7.0 | |||||
3.15 |
Fix Released
|
Undecided
|
Martin Konrad | |||
3.16 |
Fix Released
|
Undecided
|
Andrew Johnson | |||
7.0 |
Fix Released
|
Undecided
|
Andrew Johnson |
Bug Description
softIoc crashes with a buffer overflow in dbTest.c:1152 when running "dbpr A 4" on the attached database file (test.db).
Root cause: pmsg points to msgBuff->message which has a fixed size of 128 but the output of sprintf can be longer.
I can see two potential solutions here:
1. Use snprintf() to prevent the buffer overflow.
2. Convert the file to C++ and use strings.
Note: dbTest.c contains a total of 23 sprintf() calls so there might be potential for more issues...
Related branches
~info-martin-konrad/epics-base:backport-fix-for-lp1776141
Merged
into
~epics-core/epics-base/+git/epics-base:3.15
at
revision 7632c355eee6dc72dfecec2295f93e853a9524ad
- Andrew Johnson: Approve
-
Diff: 28 lines (+3/-2)1 file modifiedsrc/ioc/db/dbTest.c (+3/-2)
To post a comment you must log in.
I'm not able to replicate with current 3.16 branch (plus some extra changes, but I don't think relevant). I see an explicit error and no crash. Valgrind doesn't report a bounds violation.
epics> dbpr A 4 AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAA
...
INP:CA_LINK AAAAAAAAAAAAAAA
dbpr_msgOut: ERROR - msg length=149 limit=80
...