dbCaPutLinkCallback can write out of bounds
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
EPICS Base |
Fix Released
|
Medium
|
mdavidsaver |
Bug Description
When dbCaPutLinkCall
> record(aao, "a") {
> field(OUT, "b CA")
> field(FTVL, "DOUBLE")
> field(NELM, "10")
> }
>
> record(aai, "b") {
> field(FTVL, "DOUBLE")
> field(NELM, "2")
> }
When 'a' is written with number of elements greater than 2.
> $ caput -a a 10 1 2 3 4 5 6 7 8 9 10
Valgrind reports:
> Invalid write of size 8
> at 0x569107A: putDoubleDouble (in /usr/lib/
> by 0x56A103E: dbCaPutLinkCallback (in /usr/lib/
> by 0x568C709: dbPutLinkValue (in /usr/lib/
> by 0x505C2F1: write_aao (in /usr/lib/
> by 0x4E344D7: process (in /usr/lib/
> by 0x568B73A: dbProcess (in /usr/lib/
> by 0x568C4E1: dbPutField (in /usr/lib/
> by 0x569D452: db_put_field (in /usr/lib/
> by 0x6553284: write_action (in /usr/lib/
> by 0x65519DE: camessage (in /usr/lib/
> by 0x654E73A: camsgtask (in /usr/lib/
> by 0x5D180E6: start_routine (in /usr/lib/
> Address 0x7d5d390 is 0 bytes after a block of size 16 alloc'd
> at 0x4C272B8: calloc (vg_replace_
> by 0x5D0F12C: callocMustSucceed (in /usr/lib/
> by 0x56A1223: dbCaPutLinkCallback (in /usr/lib/
> by 0x568C709: dbPutLinkValue (in /usr/lib/
> by 0x505C2F1: write_aao (in /usr/lib/
> by 0x4E344D7: process (in /usr/lib/
> by 0x568B73A: dbProcess (in /usr/lib/
> by 0x568C4E1: dbPutField (in /usr/lib/
> by 0x569D452: db_put_field (in /usr/lib/
> by 0x6553284: write_action (in /usr/lib/
> by 0x65519DE: camessage (in /usr/lib/
> by 0x654E73A: camsgtask (in /usr/lib/
Related branches
- mdavidsaver: Approve
- Andrew Johnson: Approve
- Ralph Lange: Pending requested
-
Diff: 2471 lines (+1614/-517)27 files modifiedsrc/ioc/db/dbCAC.h (+1/-0)
src/ioc/db/dbCa.c (+17/-13)
src/ioc/db/dbChannelNOOP.h (+118/-0)
src/ioc/db/dbContext.cpp (+15/-3)
src/ioc/db/dbNotify.c (+10/-1)
src/ioc/db/test/Makefile (+22/-9)
src/ioc/db/test/arrRecord.c (+141/-0)
src/ioc/db/test/arrRecord.dbd (+42/-0)
src/ioc/db/test/dbCACTest.cpp (+84/-0)
src/ioc/db/test/dbCaLinkTest.c (+597/-0)
src/ioc/db/test/dbCaLinkTest1.db (+5/-0)
src/ioc/db/test/dbCaLinkTest2.db (+10/-0)
src/ioc/db/test/dbCaLinkTest3.db (+14/-0)
src/ioc/db/test/dbLinkdset.c (+0/-1)
src/ioc/db/test/dbLinkdset.dbd (+0/-2)
src/ioc/db/test/devx.c (+163/-0)
src/ioc/db/test/devx.dbd (+2/-0)
src/ioc/db/test/devx.h (+52/-0)
src/ioc/db/test/epicsRunDbTests.c (+2/-0)
src/ioc/db/test/scanIoTest.c (+264/-475)
src/ioc/db/test/scanIoTest.db (+3/-1)
src/ioc/db/test/xRecord.c (+27/-2)
src/ioc/db/test/xRecord.dbd (+5/-0)
src/ioc/db/test/yRecord.dbd (+0/-10)
src/ioc/misc/iocInit.c (+6/-0)
src/std/filters/test/arrRecord.c (+6/-0)
src/std/filters/test/arrRecord.dbd (+8/-0)
Changed in epics-base: | |
assignee: | nobody → mdavidsaver (mdavidsaver) |
importance: | Undecided → Medium |
milestone: | none → 3.14.branch |
Changed in epics-base: | |
status: | Fix Committed → Fix Released |
Interesting, I'm slightly surprised that caget didn't catch that.
Putting up to twice the length of the target is still safe because the circular buffer code makes the pdest pointer wrap around after it reaches the end of the buffer the first time, but after the second time it will overflow.
Should this have been checked/prevented by the dbConvert.c routines? That file changed significantly in 3.15, so I would say don't bother doing it in 3.14 in any case.