In the while loop when d->outsize reaches 131072 it enters the following if check
if (d->outsize >= 131072) {
and then enters close_socket(). Inside close_socket(), because outtop is greater than 0, it enters this if check and calls process_output() before it has a chance to invalidate d (or 'dclose' as it's called in close_socket()):
/* Process any pending output */ if (dclose->outtop > 0) process_output(dclose, FALSE);
process_output() then calls write_to_buffer() and tries to add more characters to the buffer, so it will enter the while loop and if check yet again in write_to_buffer(), infinitely…
This bug has never occurred before and I have a suspicion that something else is going on to cause outsize to reach 131072 but just found it interesting that in the case it does, this will happen. Has anyone else encountered this bug?
I ended up changing the inside of the if check to the following to reset the buffer and fix the infinite looping. I'd be interested in feedback/thoughts or other fixes that anyone has implemented.
if (d->outsize >= 131072) { wiznet("write_to_buffer(): d->outsize reached 131072. Clearing buffer.", NULL, NULL, WIZ_BUGS, 0, 0, TRUE); d->outtop = 0; // reset buffer d->outsize = 2048; // size of new buffer free(d->outbuf); // free text in old buffer d->outbuf = malloc(d->outsize); // allocate outsize-sized memory block for next output return; }
void write_to_buffer( DESCRIPTOR_DATA *d, const char *txt, int length ) {
if (d == NULL || d->valid == FALSE)
return;
if (length <= 0)
length = strlen(txt);
if ( d->outtop == 0 && !d->fcommand ) {
d->outbuf[0] = '\n';
d->outbuf[1] = '\r';
d->outtop = 2;
}
while ( d->outtop + length >= d->outsize ) {
char *outbuf;
if ( d == NULL || d->valid == FALSE) {
dbbug(d == NULL ? "write_to_buffer(): NULL Descriptor!" : "write_to_buffer(): d->valid == FALSE", 0);
return;
}
if (d->outsize >= 131072) {
close_socket(d, TRUE);
dbbug( "Buffer overflow. Closing.",0);
return;
}
outbuf = malloc( 2 * d->outsize );
strncpy( outbuf, d->outbuf, d->outtop );
free(d->outbuf);
d->outbuf = outbuf;
d->outsize *= 2;
}
strncpy( d->outbuf + d->outtop, txt, length );
d->outtop += length;
return;
}
In the while loop when d->outsize reaches 131072 it enters the following if check
if (d->outsize >= 131072) {and then enters close_socket(). Inside close_socket(), because outtop is greater than 0, it enters this if check and calls process_output() before it has a chance to invalidate d (or 'dclose' as it's called in close_socket()):
process_output() then calls write_to_buffer() and tries to add more characters to the buffer, so it will enter the while loop and if check yet again in write_to_buffer(), infinitely…
if (d->outsize >= 131072) {close_socket(d, TRUE);
dbbug( "Buffer overflow. Closing.",0);
return;
}
This bug has never occurred before and I have a suspicion that something else is going on to cause outsize to reach 131072 but just found it interesting that in the case it does, this will happen. Has anyone else encountered this bug?
I ended up changing the inside of the if check to the following to reset the buffer and fix the infinite looping. I'd be interested in feedback/thoughts or other fixes that anyone has implemented.
if (d->outsize >= 131072) {wiznet("write_to_buffer(): d->outsize reached 131072. Clearing buffer.", NULL, NULL, WIZ_BUGS, 0, 0, TRUE);
d->outtop = 0; // reset buffer
d->outsize = 2048; // size of new buffer
free(d->outbuf); // free text in old buffer
d->outbuf = malloc(d->outsize); // allocate outsize-sized memory block for next output
return;
}
Thanks!
Maya