tftpDriver bug in 4.10.2

Michael Davidsaver mdavidsaver at
Mon Jul 20 21:31:18 UTC 2015


It seems I've re-discovered this issue reported by Angus Gratton in 2010.

I can confirm Angus' diagnosis.  In rtems_tftp_eval_path(),
'pathloc->node_access' defaults to
'rtems_current_user_env->current_directory'.  In some cases
'->node_access' is replaced with a newly allocated string, in the others
it is not.  Unfortunately rtems_tftp_free_node_info() happily free()s
unless cwd=='/'.

I chased this down with GDB and confirmed that, in my case, when
cwd=='/epics/BOOTP_HOST/epics/myhost' the current directory string is
free'd when open() fails to open a file, which results in:

> Program heap: free of bad pointer 358CE4 -- range 2A1C10 - 7EE0000

when the following open() does the same.

Looking through the VCS history I think this issue was fixed in 2012 as
a consequence of*.  I haven't confirmed this since EPICS doesn't build
against the VCS master branch.

I have confirmed that it isn't fixed on the 4.10 branch.

If this bug were to be fixed on the 4.10 branch, is there any chance of
getting it included in a 4.10.3 release in the near future?


* 3b7c123c8d910eb60ab3b38dec6224e2de9847c9

More information about the users mailing list