Experimental Physics and
| |||||||||||||||
|
Suffice to say that serendipity played a big part - but we now have a definitive way to crash our Intel iocs (PC104 and VME based Pentium) using EPICS R3.13.10 and R3.14.6. Both architectures run VxWorks 5.5.1: A channel access client (we have used dm, edm and caget) which asks for a PV that is composed of a valid record name and an (invalid) field name of greater than 19 characters crashes the CA_UDP task. A buffer overflow occurs in the dbStaticLib.c function dbFindField. Our Motorola MV162s do not crash. We have identified the offending code as follows (MAX_FIELD_NAME_LENGTH is defined as 20): long epicsShareAPI dbFindField(DBENTRY *pdbentry,const char *pname) { dbRecordType *precordType = pdbentry->precordType; dbRecordNode *precnode = pdbentry->precnode; char *precord; dbFldDes *pflddes; short top, bottom, test; char **papsortFldName; short *sortFldInd; int compare,ind; char fieldName[MAX_FIELD_NAME_LENGTH]; char *pfieldName; Jane and Rolf
| ||||||||||||||
ANJ, 02 Sep 2010 |
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·
· Search · EPICS V4 · IRMIS · Talk · Bugs · Documents · Links · Licensing · |