EPICS Base

Possible null pointer dereferencing in modules/ca/src/client/udpiiu.cpp

Bug #1862916 reported by Karl Vestin on 2020-02-12

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	EPICS Base	Fix Committed	Undecided	Karl Vestin

Bug Description

Codacy report an Error level issue on a possible null pointer dereferencing modules/ca/src/client/udpiiu.cpp line 950.

If the function bool udpiiu::pushDatagramMsg ( epicsGuard < epicsMutex > & guard, const caHdr & msg, const void * pExt, ca_uint16_t extsize ) is called with the following parameters:
1) pExt == null
2) extsize > 0

This will cause the memcpy to read extsize bytes from null, presumably crashing the code.

Tags:

Revision history for this message

Karl Vestin (karlvestin) wrote on 2020-02-12:

Link: https://app.codacy.com/gh/epics-base/epics-base/file/42022654601/issues/source?bid=16430872&fileBranchId=16430872#l950

Revision history for this message

mdavidsaver (mdavidsaver) wrote on 2020-02-12:

I find only two places where pushDatagramMsg() is called. One with pExt!=NULL, and the other with pExt==NULL && extsize==0. So this won't currently trigger a issue. I see no harm in adding a NULL test for pExt, or an assert() that pExt==NULL requires extsize==0.

Karl Vestin (karlvestin) on 2020-02-13

Changed in epics-base:
assignee:	nobody → Karl Vestin (karlvestin)

Karl Vestin (karlvestin) on 2020-02-13

Changed in epics-base:
status:	New → In Progress

Revision history for this message

Karl Vestin (karlvestin) wrote on 2020-02-14:

Fixed by https://github.com/epics-base/epics-base/commit/2bcaa5448c7e583a5e4f063c54f930e857cebb06

Changed in epics-base:
status:	In Progress → Fix Committed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.