[GRASS5] Buffer overflow in G_recreate_command()...
Glynn Clements
glynn.clements at virgin.net
Mon Jun 4 02:57:25 EDT 2001
Eric G. Miller wrote:
> > I wonder if the buffers for G_recreate_command() and the display drivers
> > (at least for the pad list) should be up to ARG_MAX or at least
> > _POSIX_ARG_MAX which must be at least 4096. G_recreate_command() should
> > also have better behavior when it's limits are reached (it currently
> > abuses strcat).
>
> I modified G_recreate_command to use a buffer of ARG_MAX size and to
> make sure the buffer isn't overrun. Still, I get a sigpipe from the X
> server and it exits. I traced it on the client side to the point in
> Rasterlib where flushout() is called by _send_char. Is there some
> problem here if the buffer is flushed, but the communication is not
> complete?
Note that the driver reads the second argument for PAD_APPEND_ITEM
(and most other commands which take an arbitrary string as an
argument) into a 1024 byte buffer.
This limitation is simply a result of process_command() using a
fixed-size buffer for reading strings from the client; there isn't any
limitation elsewhere.
Any suggestions as to how big this buffer ought to be? Or does it need
to be dynamically allocated?
--
Glynn Clements <glynn.clements at virgin.net>
More information about the grass-dev
mailing list