From 6c914d19c3cfa2d183e44b7fe2c6211ab8c24a58 Mon Sep 17 00:00:00 2001 From: Michael Davidsaver Date: Mon, 1 Jun 2020 08:25:55 -0700 Subject: [PATCH] db: validate dbrType --- modules/database/src/ioc/db/dbAccess.c | 2 ++ modules/database/src/ioc/db/dbCa.c | 6 ++++++ modules/database/src/ioc/db/dbConvertJSON.c | 3 +++ modules/database/src/std/link/lnkCalc.c | 14 ++++++++++++-- modules/database/src/std/link/lnkConst.c | 10 +++++++++- modules/database/src/std/link/lnkState.c | 7 ++++++- modules/database/test/ioc/db/jlinkz.c | 7 ++++++- 7 files changed, 44 insertions(+), 5 deletions(-) diff --git a/modules/database/src/ioc/db/dbAccess.c b/modules/database/src/ioc/db/dbAccess.c index e5880511a..9cda401ad 100644 --- a/modules/database/src/ioc/db/dbAccess.c +++ b/modules/database/src/ioc/db/dbAccess.c @@ -736,6 +736,8 @@ long dbValueSize(short dbr_type) sizeof(epicsFloat64), /* DOUBLE */ sizeof(epicsEnum16)}; /* ENUM */ + if(dbr_type>=NELEMENTS(size)) + return 0; return(size[dbr_type]); } diff --git a/modules/database/src/ioc/db/dbCa.c b/modules/database/src/ioc/db/dbCa.c index 3403f2c8d..4ae39bbce 100644 --- a/modules/database/src/ioc/db/dbCa.c +++ b/modules/database/src/ioc/db/dbCa.c @@ -52,6 +52,9 @@ #include "recGbl.h" #include "recSup.h" +/* from dbAccessDefs.h which can't be included here */ +#define S_db_badDbrtype (M_dbAccess| 3) + /* defined in dbContext.cpp * Setup local CA access */ @@ -457,6 +460,9 @@ long dbCaPutLinkCallback(struct link *plink,short dbrType, long status = 0; short link_action = 0; + if(INVALID_DB_REQ(dbrType)) + return S_db_badDbrtype; + assert(pca); /* put the new value in */ epicsMutexMustLock(pca->lock); diff --git a/modules/database/src/ioc/db/dbConvertJSON.c b/modules/database/src/ioc/db/dbConvertJSON.c index e341799ed..9c281e2f5 100644 --- a/modules/database/src/ioc/db/dbConvertJSON.c +++ b/modules/database/src/ioc/db/dbConvertJSON.c @@ -159,6 +159,9 @@ long dbPutConvertJSON(const char *json, short dbrType, size_t jlen = strlen(json); long status; + if(INVALID_DB_REQ(dbrType)) + return S_db_badDbrtype; + parser->depth = 0; parser->dbrType = dbrType; parser->dbrSize = dbValueSize(dbrType); diff --git a/modules/database/src/std/link/lnkCalc.c b/modules/database/src/std/link/lnkCalc.c index bf0cc6728..7f411482a 100644 --- a/modules/database/src/std/link/lnkCalc.c +++ b/modules/database/src/std/link/lnkCalc.c @@ -553,7 +553,12 @@ static long lnkCalc_getValue(struct link *plink, short dbrType, void *pbuffer, dbCommon *prec = plink->precord; int i; long status; - FASTCONVERT conv = dbFastPutConvertRoutine[DBR_DOUBLE][dbrType]; + FASTCONVERT conv; + + if(INVALID_DB_REQ(dbrType)) + return S_db_badDbrtype; + + conv = dbFastPutConvertRoutine[DBR_DOUBLE][dbrType]; /* Any link errors will trigger a LINK/INVALID alarm in the child link */ for (i = 0; i < clink->nArgs; i++) { @@ -624,7 +629,12 @@ static long lnkCalc_putValue(struct link *plink, short dbrType, dbCommon *prec = plink->precord; int i; long status; - FASTCONVERT conv = dbFastGetConvertRoutine[dbrType][DBR_DOUBLE]; + FASTCONVERT conv; + + if(INVALID_DB_REQ(dbrType)) + return S_db_badDbrtype; + + conv = dbFastGetConvertRoutine[dbrType][DBR_DOUBLE]; /* Any link errors will trigger a LINK/INVALID alarm in the child link */ for (i = 0; i < clink->nArgs; i++) { diff --git a/modules/database/src/std/link/lnkConst.c b/modules/database/src/std/link/lnkConst.c index cb948fcb3..cc443e0ba 100644 --- a/modules/database/src/std/link/lnkConst.c +++ b/modules/database/src/std/link/lnkConst.c @@ -361,6 +361,9 @@ static long lnkConst_loadScalar(struct link *plink, short dbrType, void *pbuffer const_link *clink = CONTAINER(plink->value.json.jlink, const_link, jlink); long status; + if(INVALID_DB_REQ(dbrType)) + return S_db_badDbrtype; + switch (clink->type) { case si64: if (clink->jlink.debug) @@ -451,12 +454,17 @@ static long lnkConst_loadArray(struct link *plink, short dbrType, void *pbuffer, long *pnReq) { const_link *clink = CONTAINER(plink->value.json.jlink, const_link, jlink); - short dbrSize = dbValueSize(dbrType); + short dbrSize; char *pdest = pbuffer; int nElems = clink->nElems; FASTCONVERT conv; long status; + if(INVALID_DB_REQ(dbrType)) + return S_db_badDbrtype; + + dbrSize = dbValueSize(dbrType); + if (nElems > *pnReq) nElems = *pnReq; diff --git a/modules/database/src/std/link/lnkState.c b/modules/database/src/std/link/lnkState.c index b8791bd3b..7a7f709e5 100644 --- a/modules/database/src/std/link/lnkState.c +++ b/modules/database/src/std/link/lnkState.c @@ -142,7 +142,12 @@ static long lnkState_getValue(struct link *plink, short dbrType, void *pbuffer, { state_link *slink = CONTAINER(plink->value.json.jlink, struct state_link, jlink); - FASTCONVERT conv = dbFastPutConvertRoutine[DBR_SHORT][dbrType]; + FASTCONVERT conv; + + if(INVALID_DB_REQ(dbrType)) + return S_db_badDbrtype; + + conv = dbFastPutConvertRoutine[DBR_SHORT][dbrType]; slink->val = slink->invert ^ dbStateGet(slink->state); return conv(&slink->val, pbuffer, NULL); diff --git a/modules/database/test/ioc/db/jlinkz.c b/modules/database/test/ioc/db/jlinkz.c index fc98ff3b3..876227bfa 100644 --- a/modules/database/test/ioc/db/jlinkz.c +++ b/modules/database/test/ioc/db/jlinkz.c @@ -117,9 +117,14 @@ long z_putval(struct link *plink, short dbrType, const void *pbuffer, long nRequest) { long ret; - long (*pconv)(epicsInt32 *, const void *, const dbAddr *) = dbFastPutConvertRoutine[DBF_LONG][dbrType]; + long (*pconv)(epicsInt32 *, const void *, const dbAddr *); zpriv *priv = CONTAINER(plink->value.json.jlink, zpriv, base); + if(INVALID_DB_REQ(dbrType)) + return S_db_badDbrtype; + + pconv = dbFastPutConvertRoutine[DBF_LONG][dbrType]; + if(nRequest==0) return 0; epicsMutexLock(priv->lock);