Experimental Physics and
Industrial Control System

Hi Andrew,

Concerning mantis 300. Presumably, db_get_field wouldn?t return more than
MAX_STRING_SIZE characters for a DBR_STRING, and my current conjecture is
that this bug occurred because it wrote exactly MAX_STRING_SIZE characters,
with no nill termination at the end, into RSRV's buffer? Is that presumption
correct? Furthermore, wouldn?t the correct behavior be to (artificially) add
a nill termination to exactly the end of RSRV's MAX_STRING_SIZE buffer in
that situation? 

I do see Michael's confusion on this issue, as the code that I added is
nanny-ing the situation ( to use your terminology :-) and probably wouldn?t
be necessary if db_get_field was strictly obeying the terms of the interface
definition.

Admittedly, we have a weaker level of confirmation for this particular bug.
I did not personally reproduce the bug. I relied instead on publishing the
patch, and then receiving confirmation from the impacted user that it was in
fact fixing his issue.

Jeff
______________________________________________________
Jeffrey O. Hill           Email        [email protected]
LANL MS H820              Voice        505 665 1831
Los Alamos NM 87545 USA   FAX          505 665 5107

Message content: TSPA


> -----Original Message-----
> From: Andrew Johnson [mailto:[email protected]]
> Sent: Thursday, June 03, 2010 9:39 AM
> To: Michael Abbott
> Cc: EPICS core; Jeff Hill
> Subject: Re: Hacking rsrv/camessage.c
> 
> Hi Michael,
> 
> > I'm in the middle of reworking read_reply() (rsrv/camessage.c) to
> > implement support for autoresizing arrays (I hope to post my patches
> > later
> > this week), and I've encountered a curious bit of special case code
> > that
> > I'm about to erase ... so thought I'd better ask about it.
> 
> Ooh, careful...
> 
> > I'm puzzled by this commit (I've edited out all the rest of the diff,
> > as
> > it doesn't affect my changes):
> >
> >
> > revno: 10992
> > committer: Jeff Hill <[email protected]>
> > branch nick: B3.14
> > timestamp: Fri 2007-09-07 17:43:52 +0000
> > message:
> >   fix for mantis entry 300:
> >   'assert (size <= ntohs ( pMsg->m_postsize ))' failed in
> > ..caserverio.c line 344
> > diff:
> > === modified file 'src/rsrv/camessage.c'
> > --- src/rsrv/camessage.c        2007-08-17 22:31:11 +0000
> > +++ src/rsrv/camessage.c        2007-09-07 17:43:52 +0000
> > @@ -586,16 +598,25 @@
> >              */
> >              if ( pevext->msg.m_dataType == DBR_STRING
> >                  && pevext->msg.m_count == 1 ) {
> > -                /* add 1 so that the string terminator will be
> > shipped */
> > -                strcnt = strlen ( (char *) pPayload ) + 1;
> > -                msgSize = strcnt;
> > +                char * pStr = (char *) pPayload;
> > +                size_t strcnt = strlen ( pStr );
> > +                if ( strcnt < payloadSize ) {
> > +                    payloadSize = ( ca_uint32_t ) ( strcnt + 1u );
> > +                }
> > +                else {
> > +                    pStr[payloadSize-1] = '\0';
> > +                    errlogPrintf (
> > +                        "caserver: read_reply: detected DBR_STRING
> > w/o nill termination "
> > +                        "in response from db_get_field, pPayload =
> \"%s\"\n",
> > +                        pStr );
> > +                }
> >              }
> >          }
> >          else {
> > -            memset ( pPayload, 0, msgSize );
> > +            memset ( pPayload, 0, payloadSize );
> >              cas_set_header_cid ( pClient, cacStatus );
> >             }
> > -        cas_commit_msg ( pClient, msgSize );
> > +        cas_commit_msg ( pClient, payloadSize );
> >      }
> >
> >      /*
> >
> >
> > I'm quite baffled.  Is there any reason not to *always* ship the
> > entire 40
> > characters of the EPICS string as a matter of course?  Or is this a
> > fine
> > grained optimisation to avoid shipping an extra average 20 bytes?
> 
> String fields on the database side are not limited to 40 characters long;
> the db_access API can't zero-terminate the source buffer.  Make sure that
> this code isn't protecting against that kind of condition, which is
> easiest to test using a record with a name longer than 40 characters and
> accessing its .NAME field.
> 
> You also have the Mantis bug number that this was fixing, so you should
> read the thread at https://bugs.launchpad.net/epics-base/+bug/mantis-300
> to follow that discussion, in case it helps.
> 
> Jeff will probably not be able to read email until he gets back to LANL
> next week.
> 
> - Andrew
> 
> PS: Could you re-post your patches by publishing a Bazaar branch and
> proposing a merge?  It's going to have to happen eventually, and it's
> easier to look at them that way IMHO...

References:

Hacking rsrv/camessage.c Michael Abbott

Re: Hacking rsrv/camessage.c Andrew Johnson

Navigate by Date:

Prev: Re: [Merge] lp:~ralph-lange/epics-base/fix-cpp-keywords into lp:epics-base Michael Abbott

Next: RE: EPICS protocol header Jeff Hill

Index: 2002  2003  2004  2005  2006  2007  2008  2009  <2010>  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 

Navigate by Thread:

Prev: RE: Hacking rsrv/camessage.c michael.abbott

Next: RE: Hacking rsrv/camessage.c Jeff Hill

Index: 2002  2003  2004  2005  2006  2007  2008  2009  <2010>  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024