EPICS Base

dbStatic record print routines may corrupt memory

Bug #1462214 reported by Ralph Lange
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
EPICS Base
Fix Released
Critical
mdavidsaver
EPICS Base 3.16.branch
3.15
Fix Released
Critical
Ralph Lange
EPICS Base 3.15.branch
3.16
Fix Released
Critical
mdavidsaver
EPICS Base 3.16.branch

Bug Description

Raising the link field length from 80 to 256 (revision 12663) introduced a bug in the record printing routines.

Debugging and record dumping routines use dbGetString() from dbStaticLib.c to get field values into a message structure that is written to the console afterwards.
In that routine, the fixed size buffer (#define messagesize 100) in the message structure is filled using strcpy() and sprintf(%s) without restricting the number of characters being written into the buffer.

This leads to memory corruption and possibly segfaults/crashes when using 'dbpr' on a record that contains link fields using more than the original 80 characters.

Tags: dbstatic

Related branches

lp://staging/~epics-core/epics-base/3.15
lp://staging/~epics-core/epics-base/3.16
lp://staging/~epics-core/epics-base/dbentrybuf
Andrew Johnson: Approve
mdavidsaver: Approve
Diff: 948 lines (+430/-361)
5 files modified
src/ioc/dbStatic/dbStaticLib.c (+374/-134)
src/ioc/dbStatic/dbStaticRun.c (+1/-219)
src/std/rec/test/asTest.c (+1/-1)
src/std/rec/test/asTest.db (+1/-0)
src/std/rec/test/asTestLib.c (+53/-7)
Revision history for this message
Ralph Lange (ralph-lange) wrote :

Will push a fix that simply extends that local buffer in the same fashion (max link field length + 20, as before).

It would actually be better to fix all the strcpy() to strncpy(), but with the different sprintf() format strings for each link type (where the max length for the %s would have to be calculated for each instance) things just get too messy, and I much prefer the simple fix.

In 3.16, where the link field length is not restricted, this code has to be re-engineered anyway.

Revision history for this message
Andrew Johnson (anj) wrote :

Patch added to Known Problems page.

Changed in epics-base:
status: New → Fix Committed
Revision history for this message
mdavidsaver (mdavidsaver) wrote :

The fix for 3.15 doesn't resolve the issue for the 3.16 branch as the link string size limit is removed entirely.

Revision history for this message
mdavidsaver (mdavidsaver) wrote :

Fix for 3.16 branch committed.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.