[zeromq-dev] zmq_server can be remotely crashed with telnet

Martin Sustrik sustrik at fastmq.com
Mon Mar 30 14:16:30 CEST 2009


Aamir,

> Thank you for the fix. I also noticed that the same thing happens with
> any program that declares a global object. For example, if you write a
> program to create a global exchange on some port and then telnet to
> that port you can crash the program with bad data.

I've checked this. It seems that when you press Ctrl+C in telnet, it 
sends following 5 bytes to 0MQ: ff f4 ff fd 06 (wireshark interprets the 
sequence as SIGCOMP, see RFC3321). I have no idea what is it supposed to 
mean.

In any case, it is interpreted as a header of extremely large message by 
0MQ (~2^63 bytes). 0MQ in its turn tries to allocate a memory for the 
message and fails.

There's no clean way to deal with the problem. The only possibility is 
to allow user to specify maximal acceptable size of the message - if the 
size of incoming message is larger than the threshold, the connection 
would be killed.

Martin



More information about the zeromq-dev mailing list