Ensure payload has size expected by C client (!24) · Merge requests · Heinz Junkes / jca

Heinz Junkes requested to merge github/fork/smarsching/string-and-array-encoder-bug into master Jan 29, 2018

Created by: smarsching

The C client does not validate the payload size indicated by a CA server when copying from the receive buffer into the DBR data structure.

This means that when a server sends a payload that is smaller than expected for the data-type and count, the client library reads beyond the receive buffer limits, potentially reading from uninitialized or sensitive memory and potentially resulting in a segmention fault.

The DBREncoder class had two bugs that could cause this kind of behavior when a C client connects to a server using the CAJ library:

The first problem was that for a count of zero, no elements were sent, but the client expects at least one element to be present in the payload, even if the count is zero and thus this element is never used.

The second problem was that for an empty string, only one byte was sent, but the client expected 40 bytes (EPICS string size).

This patch fixed both problems by filling the payload with null bytes in these cases.

Ensure payload has size expected by C client

Merge request reports