[GRASS5] Buffer overflow in G_recreate_command()...
Eric G. Miller
egm2 at jps.net
Tue Jun 5 00:54:20 EDT 2001
On Mon, Jun 04, 2001 at 07:57:25AM +0100, Glynn Clements wrote:
> Note that the driver reads the second argument for PAD_APPEND_ITEM
> (and most other commands which take an arbitrary string as an
> argument) into a 1024 byte buffer.
>
> This limitation is simply a result of process_command() using a
> fixed-size buffer for reading strings from the client; there isn't any
> limitation elsewhere.
>
> Any suggestions as to how big this buffer ought to be? Or does it need
> to be dynamically allocated?
I don't know that the buffer needs to be bigger, but maybe. With the
PAD_LIST, it appears the data eventually gets put in dynamic memory
anyway. One possibility would be to add a "SIZE" argument to the text
commands so the read commands would know exactly how much space to
allocate and if the "transaction" was complete. Other possibility is to
make the buffer "ARG_MAX" + 1 size, though that may be a little greedy
(around 13.5k here...). The second is the easiest to implement and will
guarantee any command possibly given for that system will fit into the
read buffer.
--
Eric G. Miller <egm2 at jps.net>
More information about the grass-dev
mailing list