Experimental Physics and
Industrial Control System

Till Straumann <[email protected]> · Wed, 10 Mar 2004 14:58:49 -0800

Attached is a fix to a static string buffer overrun
problem. If a IP card driver's report routine returns
long strings (such as drvAvme470 / acromag IP),
the static buffer was overflown.
-- Till

Index: drvIpac.c
===================================================================
RCS file: /afs/slac/g/spear/cvsrep//epics/site/src/ipac/drvIpac/drvIpac.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -c -r1.3 -r1.4
*** drvIpac.c	19 Nov 2002 02:28:02 -0000	1.3
--- drvIpac.c	10 Mar 2004 22:52:05 -0000	1.4
***************
*** 376,388 ****
  
  */
  
  char *ipmReport (
      unsigned short carrier, 
      unsigned short slot
  ) {
!     static char report[80];
      int status;
  
      sprintf(report, "C%hd S%hd : ", carrier, slot);
  
      status = ipmCheck(carrier, slot);
--- 376,392 ----
  
  */
  
+ #define REPSIZE	80
+ 
  char *ipmReport (
      unsigned short carrier, 
      unsigned short slot
  ) {
!     static char *report = 0;
      int status;
  
+ 	report=realloc(report, REPSIZE);
+ 
      sprintf(report, "C%hd S%hd : ", carrier, slot);
  
      status = ipmCheck(carrier, slot);
***************
*** 404,412 ****
      }
  
      if (carriers.info[carrier]->driver->report != NULL) {
  	strcat(report, " - ");
! 	strcat(report, carriers.info[carrier]->driver->report(
! 			carriers.info[carrier]->cPrivate, slot));
      }
  
      return report;
--- 408,421 ----
      }
  
      if (carriers.info[carrier]->driver->report != NULL) {
+ 	char *drvrep = carriers.info[carrier]->driver->report(carriers.info[carrier]->cPrivate, slot);
+ 	int  l;
  	strcat(report, " - ");
! 	l = strlen(report) + strlen(drvrep) + 1;
! 	if ( l > REPSIZE ) {
! 		report = realloc(report, l );
! 	}
! 	strcat(report, drvrep);
      }
  
      return report;

Experimental Physics and Industrial Control System

Experimental Physics and
Industrial Control System