Undefined behavior - hk unit test #353
Description
The hk unit test contains an undefined behavior where out of bounds array access occurs. See paragraph 6.5.6/8 of the C18 standard for more details.
The undefined behavior occurs when the pointer variable OuterCpyEntry is dereferenced:
airliner/apps/hk/fsw/src/hk_utils.c
Line 195 in 2ab9c87
The pointer variable OuterCpyEntry is initialized to point to elements of array StartOfCopyTable inside a loop as follows:
airliner/apps/hk/fsw/src/hk_utils.c
Lines 188 to 190 in 2ab9c87
The value that the array pointer StartOfCopyTable has when the undefined behavior occurs is the value of the global pointer variable HK_AppData.CopyTablePtr, propagated to it through the call chain. The HK_AppData.CopyTablePtr global pointer variable is initialized in line 92 of the HK_AppMain_Test_Nominal test, one of the tests performed by the hk unit test.
airliner/apps/hk/fsw/unit_test/hk_app_test.c
Lines 87 to 92 in 2ab9c87
Note that HK_AppData.CopyTablePtr is initialized here as an one element array. Given that, and the fact that the array is accessed in a loop that assumes more than one elements, we have an out of bounds array access.
Note that there is code between the original initialization of the global pointer variable HK_AppData.CopyTablePtr and the out of bounds access that can load an array into memory and overwrite the prior value of HK_AppData.CopyTablePtr to point to it.
airliner/apps/hk/fsw/src/hk_app.c
Lines 308 to 310 in 2ab9c87
airliner/apps/hk/fsw/src/hk_app.c
Lines 337 to 338 in 2ab9c87
However, this code is skipped because the hooks CFE_TBL_Load and CFE_TBL_GetAddress (that would load the array and change the value of HK_AppData.CopyTablePtr respectively) are configured at the initialization of the test to only return a specified return code.
airliner/apps/hk/fsw/unit_test/hk_app_test.c
Lines 107 to 111 in 2ab9c87
A similar issue occurs for other tests performed by the hk unit test.