EPICS Base

rset::get_enum_str() API problem

Bug #1918762 reported by Andrew Johnson
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
EPICS Base
Triaged
Medium
Unassigned

Bug Description

The recSup.h typed_rset get_enum_str() method has this prototype:

    long (*get_enum_str)(const struct dbAddr *paddr, char *pbuffer);

The method gets no indication how large pbuffer is, so it's easy for it to overflow it, although not by much.

The bi and bo records both hope it's one byte longer than their associated ZNAM/ONAM fields (which are 26 bytes long) because they call strncpy(pbuffer,,26) and then write a nil byte to pbuffer[26].

The mbbi and mbbo records at least don't overflow the buffer they assume is 26 bytes long since they don't bother writing the nil byte after calling strncpy(pbuffer,,26).

No other record types in Base define this method, which isn't trivial to get called. I think this database should be doing it when lsi gets processed, although valgrind doesn't seem to notice the overflow:

record(bi, bi) {
  field(ZNAM, "26-character-enum-string.")
}
record(lsi, "lsi") {
  field(SIZV, 16) # This is the minimum that lsi actually uses.
  field(INP, "bi")
}

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.