PRB: Inadequate Buffer Length Causes Strange Problems in DDEML

• Microsoft Windows Software Development Kit (SDK) versions 3.1
• Microsoft Win32 Application Programming Interface (API) included with:

      - Microsoft Windows NT versions 3.5 and 3.51
      - Microsoft Windows 95 version 4.0
  

SYMPTOMS

Specifying an inadequate buffer length for an XTYP_POKE or an XTYP_EXECUTE command causes strange problems in DDEML.

Problems can range from a general protection (GP) fault or Exception 13, to DDEML timeout errors (such as DMLERR_EXECACKTIMEOUT or DMLERR_POKEACKTIMEOUT) or a DDEML transaction failure (or DMLERR_NOTPROCESSED). Sometimes, the application may seem to work for the most part, and then occasionally crash.

Data can be passed to the server application via XTYP_POKE or XTYP_EXECUTE in two ways:

• Directly, as a pointer to the data or command string, as in the sample code below:

     char lpszString [80];
  
     lstrcpy (lpszString, "[FileOpen(""C:\README.DOC"")]");
     DdeClientTransaction (lpszString,             // string buffer
                           lstrlen (lpszString)+1, // string buffer length
                           hConv,
                           hszItem,
                           CF_TEXT,
                           XTYP_POKE,
                           1000,
                           NULL);
  
    -or-
  
  

• By creating a data handle, and passing that on to the DdeClientTransaction() call:

     char lpszString [80];
     HDDEDATA hData;
  
     lstrcpy (lpszString, "[FileOpen(""C:\README.DOC"")]");
     hData = DdeCreateDataHandle (idInst,
                                  lpszString,
                                  lstrlen (lpszString)+1,
                                  0,
                                  NULL,
                                  CF_TEXT,
                                  0);
     if (!hData)
        DdeClientTransaction (hData,     // string buffer
                              -1,        // indicates hData is a data handle
                              hConv,
                              hszItem,
                              CF_TEXT,
                              XTYP_POKE,
                              1000,
                              NULL);
  
  

CAUSE

Because data is most commonly passed between applications in CF_TEXT format, a common problem with the string buffer length is setting it to lstrlen (lpszString), where lpszString is the buffer containing the string the client needs to pass to the server. Because the lstrlen() function does not include the terminating null character, this can cause the system to append garbage characters to the end of the string, thus sending an invalid string to the server application.

RESOLUTION

When passing strings between two applications, the string buffer length should be set to lstrlen (lpszString) +1, to include the terminating null character ('\0').

Using DDESPY, it is easy to track down this problem, because one can follow the string being passed from the client to the server application. Garbage characters incorrectly being appended to the string usually indicate a problem with specifying an inadequate string buffer length.