TinTin++ Mud Client The TinTin++ message board

 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 
TinTin++ Mud Client

Large GMCP messages

 
Post new topic   Reply to topic    The TinTin++ message board Forum Index -> Bug Reports
View previous topic :: View next topic  
Author Message
nya



Joined: 25 Jun 2012
Posts: 39

PostPosted: Tue Aug 28, 2012 9:33 pm    Post subject: Large GMCP messages Reply with quote

Hello.

Larger GMCP messages cause wintin++ to crash as below:

Code:
DEBUG_STACK[000] = read_buffer_mud(0x5ba4c0)
DEBUG_STACK[001] = translate_telopts(0x5ba4c0,0x227e24,8987)
DEBUG_STACK[002] = recv_sb_gmcp(0x5ba4c0,13367,0x5a5ad8)


Although it took me a while to track down what caused this, the original error unfortunately happened naturally during gameplay. It was specifically caused by having a large number of separate items in Achaea being sent in a single Char.Items.List message. Originally, this happened due to there being a large number of distinct items in the room, and it was later recreated by adding more and more distinct items to a character's inventory until the crash could be replicated.

Looking over the source code for more information, I see the loop that gathers the raw JSON will function up to cplen times (in this case, 13367), does not heed BUFFER_SIZE at all, and will (in the case of the message causing the problem) write more than cplen bytes to the buffer, allowing for a potential buffer overflow even if cplen < BUFFER_SIZE.

I don't know if the loop that parses the JSON data also behaves this way, since I haven't read through it all to figure out how it works, but I suspect it might.
Back to top
View user's profile Send private message
ixle



Joined: 15 Sep 2011
Posts: 158
Location: United States

PostPosted: Wed Aug 29, 2012 1:24 am    Post subject: Reply with quote

I wonder if this is related to the crashes listed here.
Back to top
View user's profile Send private message
Scandum
Site Admin


Joined: 03 Dec 2004
Posts: 3796

PostPosted: Sat Sep 01, 2012 8:27 am    Post subject: Reply with quote

I put it on my todo list.
Back to top
View user's profile Send private message Send e-mail
Scandum
Site Admin


Joined: 03 Dec 2004
Posts: 3796

PostPosted: Sat Nov 24, 2012 5:12 pm    Post subject: Reply with quote

This is possibly caused by using %0 twice, or using both %0 and %1 in the same event.

TinTin has a buffer limit of 20K, so either increase this to 40K in tintin.h or make sure you only have one %0 in the event body.

I might add infinite buffers one day, but it'd be somewhat of an undertaking.
Back to top
View user's profile Send private message Send e-mail
nya



Joined: 25 Jun 2012
Posts: 39

PostPosted: Sun Dec 02, 2012 7:12 am    Post subject: Reply with quote

It seems that fixed it, thanks! The fact I even had two %0s at all was an oversight on my part, but I didn't even think that that'd have caused it.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    The TinTin++ message board Forum Index -> Bug Reports All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
Get TinTin++ Mud Client at SourceForge.net. Fast, secure and Free Open Source software downloads Get TinTin++ Mud Client at SourceForge.net. Fast, secure and Free Open Source software downloads
TinTin++ Homepage

Powered by phpBB © 2001, 2002 phpBB Group