axis-c-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alexei Dets <>
Subject SoapSerializer buffer allocation code is broken
Date Mon, 26 Jul 2004 22:43:47 GMT
I've discovered a serious problem that causes Axis C++ to crash during send of 
the rather long (>2-3K strings). The problem is in SoapSerializer.cpp:

IWrapperSoapSerializer& SoapSerializer::operator <<(const AxisChar*            


int SoapSerializer::setNextSerilizeBuffer()

1) setNextSerilizeBuffer() allocates new buffers (and reuse old ones) that 
have a _fixed_ size: 1024, 2048, 4096 etc. - each next buffer two times 
bigger than previous one.

2) operator <<, on the other hand, has this code:

    int iTmpSerBufferSize = strlen(cSerialized);
    if((m_nFilledSize + iTmpSerBufferSize)>= m_nCurrentBufferSize)
         * Send the current buffer to the transport and get
         * another buffer to be filled
        if (AXIS_SUCCESS == sendSerializedBuffer())
            if (AXIS_SUCCESS == setNextSerilizeBuffer())
                m_nFilledSize += iTmpSerBufferSize;

So, if cSerialized doesn't fit into the current buffer Axis tries to find next 
buffer or allocate a new one of _some_ (unknown!!!) size with the help of 
setNextSerilizeBuffer(). Next thing it will do - call strcat to copy 
cSerialized into this buffer. But nobody checks that setNextSerilizeBuffer() 
returned a buffer that is _bigger_ than strlen(cSerialized) => Axis crash if 
cSerialized is bigger than the buffer.


View raw message