Argonne National Laboratory

Experimental Physics and
Industrial Control System

1994  1995  1996  1997  1998  <19992000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  Index 1994  1995  1996  1997  1998  <19992000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020 
<== Date ==> <== Thread ==>

Subject: RE: base/src/gdd/dbMapper.cc bug
From: johill@lanl.gov (Jeff Hill)
To: "'saa@SLAC.Stanford.EDU'" <saa@slac.stanford.edu>, "tech-talk@aps.anl.gov" <tech-talk@aps.anl.gov>
Date: Thu, 28 Jan 1999 12:08:50 -0700
All:

A bug has been found by Stephanie Allison in the GDD portion of the C++ based CA server libraries.
It does not have any impact on the IOCs, or any of the client side tools. Specifically there will 
be no impact unless you use server side tools based on the new C++ based server library 
at your site.

Symptoms:
Probably none.

Description of bug 1:
When a client fetched data type dbr_gr_enum a 40 character string was copied into a 26 character 
string. The bug was probably benign unless the maximum number of strings in the dbr_gr_enum structure
were used and the message was at the very end of the CA message buffer.

Description of bug 2:
When a dbr_gr_enum structure is copied into a GDD the code would strncpy() a 40 character string out of a 
26 character string. The bug was probably benign unless the incoming string was not null terminated.

Thanks to Stephanie Allison (and some clever error checking in the DEC C++ compiler) for bringing this 
to our attention.

Here are the changes that I committed to CVS:

retrieving revision 1.20
diff -r1.20 dbMapper.cc
1024,1026c1024,1026
<               strncpy(str[i].fixed_string,&(db->strs[i][0]),
<                       sizeof(aitFixedString));
<               str[i].fixed_string[sizeof(aitFixedString)-1u] = '\0';
---
>               unsigned minl = min (sizeof(aitFixedString), MAX_ENUM_STRING_SIZE) - 1;
>               strncpy (str[i].fixed_string,&(db->strs[i][0]), minl);
>               memset (&str[i].fixed_string[minl], '\0', sizeof(aitFixedString)-minl);
1095,1096c1095,1096
<                               sizeof(aitFixedString));
<                       db->strs[i][sizeof(aitFixedString)-1u] = '\0';
---
>                               MAX_ENUM_STRING_SIZE);
>                       db->strs[i][MAX_ENUM_STRING_SIZE-1u] = '\0';

I didnt see any other instances.

Jeff


Navigate by Date:
Prev: Joerger Wave Form ADC Miroslaw Dach
Next: Multiple C++ based CA servers on the same host and port number Jeff Hill
Index: 1994  1995  1996  1997  1998  <19992000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020 
Navigate by Thread:
Prev: base/src/gdd/dbMapper.cc bug saa
Next: X-terminals & EPICS security Paul Sichta
Index: 1994  1995  1996  1997  1998  <19992000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020 
ANJ, 10 Aug 2010 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·