On Thu, 21 Apr 2005 20:08:20 -0400, Caleb Epstein wrote
https://mndfck.org/svn/socketstream/trunk/example/time/session.h
Buffer overflow here:
char s[3]; this->time(s);
where ::time indexes s[0..3]. There's even a comment:
// assume we really got a string of the appropriate size
This kind of code needs to be banished from all socket examples and libraries. We need buffer type that the "network infrastructure" can 'know' the size of and possibly even resize if needed. These type of assumed/fixed size buffers are bad design -- simply unacceptable in my mind for a modern C++ library. I notice we don't have a buffer concept in any of our net/socket writeups on the wiki. I think that's a big omission. I also wonder if the abstraction doesn't already exist --> std::basic_streambuf. Let the socket class write into the streambuf and then you can trivially wrap a stream around it to do sophisticated i/o if you wish -- or simply pull out the raw chars.... Jeff