EPICS Base

iocsh crashes when dealing with NULL iocshArgPersistentString

Series 3.15
Bug #1824732

Bug #1824732 reported by Bruno Martins on 2019-04-14

This bug affects 1 person

	Status	Importance	Assigned to
EPICS Base	Status tracked in 7.0
3.15	Triaged	Low	Unassigned
7.0	Fix Released	Low	Unassigned

Bug Description

I was looking at the iocsh.cpp (@R7.0.2.1) code and realized that there's a bug when parsing command arguments of type iocshArgPersistentString. The code in cvtArg does the following:

   case iocshArgPersistentString:
        argBuf->sval = (char *) malloc(strlen(arg) + 1);
        if (argBuf->sval == NULL) {
            showError(filename, lineno, "Out of memory");
            return 0;
        }
        strcpy(argBuf->sval, arg);
        break;

However, here 'arg' can be NULL, so 'strlen' can (will?) SEGFAULT. I was able to successfully trigger the issue. I don't know where this is used or who uses this functionality exactly.

Tags:

Revision history for this message

Andrew Johnson (anj) wrote on 2019-04-23:

iocshArgPersistentString was intended for use when the routine being called stores the arg pointer instead of making its own copy and uses it again later. This is somewhat uncommon and there are no commands in Base that register such an argument (a 'git grep' comes up with only 2 instances of that word), but it is still used in some support modules.