Force an overflow error?

Posted by Zeno on Sat 04 Feb 2006 06:11 PM — 17 posts, 59,124 views.

USA #0
Anyone know how to force an overflow error on a player? If I run Samson's pfile cleanup snippet, it cleans up about 600 players (thus 600 lines of logs) and causes an overflow on the Imms. So I tried this to force an overflow:
  for ( i=0; i < 700; i++ )
  {
   snprintf( log_buf, MAX_STRING_LENGTH, "Player Test was deleted. Exceeded time limit of 2 days." );
   log_string( log_buf );
  }

But it doesn't cause an overflow at all. Anyone have any idea what to do?
USA #1
What kind of overflow are you talking about? If you mean fill up the outgoing buffer before the select-then-output has time to service it, you'll have to look up in DESC_DATA or whatever the connection structure is to see how big that buffer is.
USA #2
This kind over overflow:
BUG: Buffer overflow. Closing (Zeno).
 Closing link to Zeno.


I'll look into DESC_DATA. Is it one of these?
    char                inbuf           [MAX_INBUF_SIZE];
    char                incomm          [MAX_INPUT_LENGTH];
    char                inlast          [MAX_INPUT_LENGTH];

They're 1024.
Amended on Sat 04 Feb 2006 11:44 PM by Zeno
USA #3
No, those are all input buffers, to store what the player is typing. I think there are output buffers as well, but it's been a while since I've seen stock SMAUG network code. I heavily rewrote a lot of mine so I don't have offhand access to normal code.

But it should be in send_to_char or something like that -- that should call the function that adds it to the outgoing buffer.
USA #4

   /*
    * Expand the buffer as needed.
    */
   while( d->outtop + length >= d->outsize )
   {
      if( d->outsize > 32000 )
      {
         /*
          * empty buffer 
          */
         d->outtop = 0;
         close_socket( d, TRUE );
         bug( "Buffer overflow. Closing (%s).", d->character ? d->character->name : "???" );
         return;
      }
      d->outsize *= 2;
      RECREATE( d->outbuf, char, d->outsize );
   }


According to the above code, you need to force-fill a buffer with more than 32,000 characters. How you would go about that is up to you :)
USA #5
I tried looking through the code at outsize or outbuf, but I can't really seem to track it down to see how it's used. I still don't see how my original code isn't forcing it to be filled.
USA #6
According to what Samson posted, you'd need to output 32,000 / 600 = 53.3 characters per line, if you output 600 lines, in order to overflow the connection.

I have to admit, though, that I'm curious why you want to go to the trouble of overflowing a player when you can just disconnect them? :)
USA #7
I need to reproduce an overflow in normal conditions, aka not running the pfile cleanup. See this topic:
http://forums.smaugfuss.org/index.php?a=topic&t=214

[EDIT - 11 March 2008] - The Smaug FUSS site is now http://www.smaugmuds.org/
Amended on Tue 11 Mar 2008 03:31 AM by Nick Gammon
USA #8
I didn't read that in detail but it looks like you have a crash occurring from overflow, and you want to reproduce overflow in order to see what causes the crash?

I would just write a function that outputs 600 lines of 60 characters each. Should take care of the overflow...
USA #9
Yes, that's the basics of the crash.

I got the overflow working. But it turns out...
Quote:
Well now this is odd. I can reproduce this crash on the overflow when the pfile cleanup snippet is used (cleaning up 700+ players, giving 700+ logs and then an overflow) but I can't reproduce the crash with a simple overflow. Now I just have no idea...

So apparently it's not just the overflow that causes the crash...
USA #10
So this sounds like it's a bug in the pfiles code? Is it possible that during the course of loading and saving all those pfiles that one of them was an immortal, and it tried to send the log message to them even though they're linkdead?

Otherwise if this hasn't yet been isolated to the pfile code I'm not sure how else to forceably trigger the overflow besides writing a function to create the conditions. A for loop with enough iterations to call send_to_char on an 80 char string should do the trick.
USA #11
Yes, I've given it thought that it could be a bug in the pfile snippet. Can't confirm it though, but that's why I made that recent post on Alsherok.
USA #12
Well a simple fix I did when I encountered this problem was such:

in handler.c

sh_int get_trust( CHAR_DATA *ch )
{
if ( !ch )
return 0;
....
}
Amended on Mon 06 Feb 2006 04:27 AM by Gohan_TheDragonball
USA #13
Yeah, but it happens everywhere and not just in get_trust.
USA #14
Curious as to why altering get_trust would have any affect on this.
USA #15
Not about an overflow, but with the bug I am getting:
http://forums.smaugfuss.org/index.php?a=topic&t=214

As you can tell, in that example it crashed in get_trust.
USA #16
Yeah thats really the only way I know of to fix that problem, and trust me i tried a lot of things, and then i had to upload a backup because boy did i screw something up.