How to crash an EPICS ioc on Intel/VxWorks

[Jane Richards <richards@triumf.ca>]

Hi,

 Suffice to say that serendipity played a big part  - but we now have a 
definitive way to crash our Intel iocs (PC104 and VME based Pentium) 
using EPICS R3.13.10 and R3.14.6. Both architectures run VxWorks 5.5.1:

A channel access client (we have used dm, edm and caget) which asks for 
a PV that is composed of  a valid record name and an (invalid) field 
name of greater than 19 characters crashes the CA_UDP task.  A buffer 
overflow occurs in the dbStaticLib.c function dbFindField.

Our Motorola MV162s do not crash.

We have identified the offending code as follows (MAX_FIELD_NAME_LENGTH 
is defined as 20):

> long epicsShareAPI dbFindField(DBENTRY *pdbentry,const char *pname)
> {
>     dbRecordType    *precordType = pdbentry->precordType;
>     dbRecordNode    *precnode = pdbentry->precnode;
>     char        *precord;
>     dbFldDes          *pflddes;
>     short               top, bottom, test;
>     char          **papsortFldName;
>     short              *sortFldInd;
>     int            compare,ind;
>     char        fieldName[MAX_FIELD_NAME_LENGTH];
>     char        *pfieldName;
>
>     if(!precordType) return(S_dbLib_recordTypeNotFound);
>     if(!precnode) return(S_dbLib_recNotFound);
>     precord = precnode->precord;
>     papsortFldName = precordType->papsortFldName;
>     sortFldInd = precordType->sortFldInd;
>     /*copy field name. Stop at null or blank or tab*/
>     pfieldName = &fieldName[0];
>     for(ind=0; ind<MAX_FIELD_NAME_LENGTH; ind++) {
>     if(*pname=='\0' || *pname==' ' || *pname=='\t') break;
>     *pfieldName++ = *pname++;
>     }
>     *pfieldName = '\0'; /* This is beyond the end of the fieldName[] */
>     pfieldName = &fieldName[0];

Jane and Rolf