Buffer overrun in handle_notice_message()

Hi all,

I'd like to report a buffer overrun in handle_notice_message().
Analysis: when I run a query >4096 characters that has a 'C' at a
specific location (at a specific, small offset before a multiple of
4096), then the stack is trashed and the driver crashes. The code fragment:

for (;;)
{
    truncated = SOCK_get_string(sock, msgbuffer, sizeof(msgbuffer));
    if (!msgbuffer[0])
        break;

    mylog("%s: 'N' - %s\n", comment, msgbuffer);
    qlog("NOTICE from backend during %s: '%s'\n", comment, msgbuffer);
    switch (msgbuffer[0])
    {
        case 'S':
            strncat(msgbuf, msgbuffer + 1, buflen);
            strncat(msgbuf, ": ", buflen);
            buflen -= (strlen(msgbuffer) + 1);
            break;
        case 'M':
            strncat(msgbuf, msgbuffer + 1, buflen);
            msg_truncated = truncated;
            break;
        case 'C':
            if (sqlstate && !sqlstate[0] && strcmp(msgbuffer + 1, "00000"))
                strcpy(sqlstate, msgbuffer + 1);
            break;
    }
}



The problem is that PostgreSQL replies to the query with a "LOG"-type
message, quoting the _complete_ query. This loop retrieves the message
in chunks of 4096 bytes (i.e., sizeof(msgbuffer)) and normally just
outputs things to mylog and qlog, _except_ if the first character of a
chunk just happens to be 'S', 'M' or 'C'. In the 'S' or 'M' cases,
nothing bad happens, but in the 'C' case, the
strcpy(sqlstate,msgbuffer+1) copies 4 kbytes of data into the 8-byte
sqlstate buffer.

The way I understand it, the switch on msgbuffer[0] should only happen
on the first iteration, not on subsequent iterations. After I changed
the loop like that, my application ran without any problems.

Oh, in case you're wondering: protocol is 7.4+, PostgreSQL server
version is 8.1.4.

Cheers,
Bart