Complete.Org: Mailing Lists: Archives: freeciv-dev: December 2003:
[Freeciv-Dev] (PR#7018) Buffer overflow
Home

[Freeciv-Dev] (PR#7018) Buffer overflow

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: undisclosed-recipients: ;
Subject: [Freeciv-Dev] (PR#7018) Buffer overflow
From: "Raimar Falke" <i-freeciv-lists@xxxxxxxxxxxxx>
Date: Mon, 1 Dec 2003 12:53:39 -0800
Reply-to: rt@xxxxxxxxxxx

<URL: http://rt.freeciv.org/Ticket/Display.html?id=7018 >


If a large savegame is loaded (like the one from PR#7016) a big chunk
of compressed data is added to the send buffer. The send buffer
however will only increase by MAX_LEN_PACKET in such cases. This is
not enough. You get a core dump when you want to free the buffer (when
the client disconnects).

I would apply it immediately but other may prefer different strategies
on the expansion of the buffer. The patch allocates as much space as
needed and not more. It is also possible to allocate some more.

        Raimar

-- 
 email: rf13@xxxxxxxxxxxxxxxxx
 Windows: Where do you want to go today?
 Linux: Where do you want to go tomorrow?
 BSD: Are you guys coming or what?

Index: common/connection.c
===================================================================
RCS file: /home/freeciv/CVS/freeciv/common/connection.c,v
retrieving revision 1.35
diff -u -u -r1.35 connection.c
--- common/connection.c 2003/11/28 17:37:21     1.35
+++ common/connection.c 2003/12/01 20:43:22
@@ -285,7 +285,7 @@
            buf->nsize);
     /* room for more? */
     if(buf->nsize - buf->ndata < len) {
-      buf->nsize += MAX_LEN_PACKET;
+      buf->nsize = buf->ndata + len;
 
       /* added this check so we don't gobble up too much mem */
       if (buf->nsize > MAX_LEN_BUFFER) {

[Prev in Thread] Current Thread [Next in Thread]
  • [Freeciv-Dev] (PR#7018) Buffer overflow, Raimar Falke <=