Bart Samwel wrote:
> Hi all,
>
> I'd like to report a buffer overrun in handle_notice_message().
> Analysis: when I run a query >4096 characters that has a 'C' at a
> specific location (at a specific, small offset before a multiple of
> 4096), then the stack is trashed and the driver crashes. The code
> fragment:
>
> for (;;)
> {
> truncated = SOCK_get_string(sock, msgbuffer, sizeof(msgbuffer));
> if (!msgbuffer[0])
> break;
>
> mylog("%s: 'N' - %s\n", comment, msgbuffer);
> qlog("NOTICE from backend during %s: '%s'\n", comment, msgbuffer);
> switch (msgbuffer[0])
> {
> case 'S':
> strncat(msgbuf, msgbuffer + 1, buflen);
> strncat(msgbuf, ": ", buflen);
> buflen -= (strlen(msgbuffer) + 1);
> break;
> case 'M':
> strncat(msgbuf, msgbuffer + 1, buflen);
> msg_truncated = truncated;
> break;
> case 'C':
> if (sqlstate && !sqlstate[0] && strcmp(msgbuffer + 1,
> "00000"))
> strcpy(sqlstate, msgbuffer + 1);
> break;
> }
> }
Hi Bart,
Hmm, ISTM I should place the following code at the end of the above loop
not after the above code..
while (truncated)
truncated = SOCK_get_string(sock, msgbuffer,
sizeof(msgbuffer));
Actually I do so In handle_error_message().
I would fix it ASAP.
Thanks.
regards,
Hiroshi Inoue
