epics/epics-base
0
0
Fork 0
Code Issues Pull Requests Projects Wiki Activity

Fix off by one error in constant link fetch

Browse Source 
For long string buffers, we currently write a null terminator one byte
past the end of the buffer. This can be seen with a record of the type

```
record(aai, foo) {
  field(NELM, 1)
  field(FTVL, CHAR)
  field(INP, {const: "foo"})
}
```
where the buffer is only of size 1, but then we write at index 1 (aka
past the end of the buffer).

Co-authored-by: Lucas A. M. Magalhães <lucmaga@gmail.com>
This commit is contained in:
Simon Rose
2024-03-13 14:45:39 +01:00
committed by mdavidsaver
parent ede745cc34
commit 1b46077096
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
modules/database/src/std/link/lnkConst.c
View File

@ -495,9 +495,11 @@ static long lnkConst_loadArray(struct link *plink, short dbrType, void *pbuffer,
} }
else { else {
/* Long string conversion */ /* Long string conversion */
strncpy(pbuffer, clink->value.scalar_string, *pnReq); if (*pnReq > 0) {
((char *)pbuffer)[*pnReq] = 0; strncpy(pbuffer, clink->value.scalar_string, *pnReq);
nElems = strlen(pbuffer) + 1; ((char *)pbuffer)[*pnReq - 1] = 0;
nElems = strlen(pbuffer) + 1;
}
status = 0; status = 0;
} }
break; break;