EPICS Home EPICS Controls Argonne National Laboratory

Experimental Physics and
Industrial Control System

Format page
for printing


Search Tech-talk
1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  <20062007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024  Index 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  <20062007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
<== Date ==> <== Thread ==>
Subject: How to crash an EPICS ioc on Intel/VxWorks
From: Jane Richards <[email protected]>
To: tech-talk <[email protected]>
Date: Wed, 10 May 2006 18:05:51 -0700
Hi,

Suffice to say that serendipity played a big part - but we now have a definitive way to crash our Intel iocs (PC104 and VME based Pentium) using EPICS R3.13.10 and R3.14.6. Both architectures run VxWorks 5.5.1:

A channel access client (we have used dm, edm and caget) which asks for a PV that is composed of a valid record name and an (invalid) field name of greater than 19 characters crashes the CA_UDP task. A buffer overflow occurs in the dbStaticLib.c function dbFindField.

Our Motorola MV162s do not crash.

We have identified the offending code as follows (MAX_FIELD_NAME_LENGTH is defined as 20):

long epicsShareAPI dbFindField(DBENTRY *pdbentry,const char *pname)
{
    dbRecordType    *precordType = pdbentry->precordType;
    dbRecordNode    *precnode = pdbentry->precnode;
    char        *precord;
    dbFldDes          *pflddes;
    short               top, bottom, test;
    char          **papsortFldName;
    short              *sortFldInd;
    int            compare,ind;
    char        fieldName[MAX_FIELD_NAME_LENGTH];
    char        *pfieldName;

    if(!precordType) return(S_dbLib_recordTypeNotFound);
    if(!precnode) return(S_dbLib_recNotFound);
    precord = precnode->precord;
    papsortFldName = precordType->papsortFldName;
    sortFldInd = precordType->sortFldInd;
    /*copy field name. Stop at null or blank or tab*/
    pfieldName = &fieldName[0];
    for(ind=0; ind<MAX_FIELD_NAME_LENGTH; ind++) {
    if(*pname=='\0' || *pname==' ' || *pname=='\t') break;
    *pfieldName++ = *pname++;
    }
    *pfieldName = '\0'; /* This is beyond the end of the fieldName[] */
    pfieldName = &fieldName[0];

Jane and Rolf

Replies:
Re: How to crash an EPICS ioc on Intel/VxWorks Andrew Johnson
Navigate by Date:
Prev: June EPICS Meeting reminder Andrew Johnson
Next: Re: How to crash an EPICS ioc on Intel/VxWorks Andrew Johnson
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  <20062007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
Navigate by Thread:
Prev: June EPICS Meeting reminder Andrew Johnson
Next: Re: How to crash an EPICS ioc on Intel/VxWorks Andrew Johnson
Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  <20062007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  2021  2022  2023  2024 
ANJ, 02 Sep 2010 Valid HTML 4.01! · Home · News · About · Base · Modules · Extensions · Distributions · Download ·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing ·