EPICS Home

Experimental Physics and Industrial Control System


 
2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  <20222023  2024  2025  Index 2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  <20222023  2024  2025 
<== Date ==> <== Thread ==>
Subject: [Bug 1824732] Re: iocsh crashes when dealing with NULL iocshArgPersistentString
From: Andrew Johnson via Core-talk <core-talk at aps.anl.gov>
To: core-talk at aps.anl.gov
Date: Tue, 10 May 2022 22:52:42 -0000 
> Can you link an example?

https://github.com/search?q=org%3Aepics-modules+iocshArgPersistentString&type=code
I get 2 results in epics-modules, one from drvIpac and one from caPutLog:

https://github.com/epics-modules/ipac/blob/5efbc9e70231c5e5dd49ba90c8532dcc808e9e39/drvTip810/drvTip810.c#L1450
This code is not currently NULL-safe, https://github.com/epics-modules/ipac/issues/9

https://github.com/epics-modules/caPutLog/blob/02ba23271650b4c4a719aadb69d393eb79aab2c8/caPutLogApp/caPutLogShellCommands.c#L39
Recently merged code by Dirk, this does handle NULLs properly.

This particular bug has been resolved now though.

** Bug watch added: github.com/epics-modules/ipac/issues #9
   https://github.com/epics-modules/ipac/issues/9

** Changed in: epics-base/7.0
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of EPICS
Core Developers, which is subscribed to EPICS Base.
Matching subscriptions: epics-core-list-subscription
https://bugs.launchpad.net/bugs/1824732

Title:
  iocsh crashes when dealing with NULL iocshArgPersistentString

Status in EPICS Base:
  Fix Released
Status in EPICS Base 3.15 series:
  Triaged
Status in EPICS Base 7.0 series:
  Fix Released

Bug description:
  I was looking at the iocsh.cpp (@R7.0.2.1) code and realized that
  there's a bug when parsing command arguments of type
  iocshArgPersistentString. The code in cvtArg does the following:

     case iocshArgPersistentString:
          argBuf->sval = (char *) malloc(strlen(arg) + 1);
          if (argBuf->sval == NULL) {
              showError(filename, lineno, "Out of memory");
              return 0;
          }
          strcpy(argBuf->sval, arg);
          break;

  However, here 'arg' can be NULL, so 'strlen' can (will?) SEGFAULT. I
  was able to successfully trigger the issue. I don't know where this is
  used or who uses this functionality exactly.

To manage notifications about this bug go to:
https://bugs.launchpad.net/epics-base/+bug/1824732/+subscriptions
Navigate by Date:
Prev: [Bug 541388] Re: ca reference manual issues Andrew Johnson via Core-talk
Next: [Bug 1824732] Re: iocsh crashes when dealing with NULL iocshArgPersistentString Andrew Johnson via Core-talk
Index: 2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  <20222023  2024  2025 
Navigate by Thread:
Prev: [Bug 541388] Re: ca reference manual issues Andrew Johnson via Core-talk
Next: [Bug 1824732] Re: iocsh crashes when dealing with NULL iocshArgPersistentString Andrew Johnson via Core-talk
Index: 2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  <20222023  2024  2025