iocsh crashes when dealing with NULL iocshArgPersistentString

Bug #1824732 reported by Bruno Martins
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
EPICS Base
Status tracked in 7.0
3.15
Triaged
Low
Unassigned
7.0
Fix Released
Low
Unassigned

Bug Description

I was looking at the iocsh.cpp (@R7.0.2.1) code and realized that there's a bug when parsing command arguments of type iocshArgPersistentString. The code in cvtArg does the following:

   case iocshArgPersistentString:
        argBuf->sval = (char *) malloc(strlen(arg) + 1);
        if (argBuf->sval == NULL) {
            showError(filename, lineno, "Out of memory");
            return 0;
        }
        strcpy(argBuf->sval, arg);
        break;

However, here 'arg' can be NULL, so 'strlen' can (will?) SEGFAULT. I was able to successfully trigger the issue. I don't know where this is used or who uses this functionality exactly.

Tags: codeathon
Revision history for this message
Andrew Johnson (anj) wrote :

iocshArgPersistentString was intended for use when the routine being called stores the arg pointer instead of making its own copy and uses it again later. This is somewhat uncommon and there are no commands in Base that register such an argument (a 'git grep' comes up with only 2 instances of that word), but it is still used in some support modules.

tags: added: codeathon
Changed in epics-base:
status: New → Triaged
importance: Undecided → Low
Revision history for this message
mdavidsaver (mdavidsaver) wrote :

> it is still used in some support modules.

Can you link an example? I'm interested in if/how NULL is handled.

Revision history for this message
Andrew Johnson (anj) wrote :

> Can you link an example?

https://github.com/search?q=org%3Aepics-modules+iocshArgPersistentString&type=code
I get 2 results in epics-modules, one from drvIpac and one from caPutLog:

https://github.com/epics-modules/ipac/blob/5efbc9e70231c5e5dd49ba90c8532dcc808e9e39/drvTip810/drvTip810.c#L1450
This code is not currently NULL-safe, https://github.com/epics-modules/ipac/issues/9

https://github.com/epics-modules/caPutLog/blob/02ba23271650b4c4a719aadb69d393eb79aab2c8/caPutLogApp/caPutLogShellCommands.c#L39
Recently merged code by Dirk, this does handle NULLs properly.

This particular bug has been resolved now though.

Revision history for this message
Andrew Johnson (anj) wrote :

But not on the 3.15 branch, that could get the fix if anyone feels like back-porting the code change from the 7.0 branch.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.