[zeromq-dev] Vulnerability of devices to incoming messages

Pieter Hintjens ph at imatix.com
Thu Aug 12 00:01:03 CEST 2010


On Wed, Aug 11, 2010 at 11:49 PM, Brian Granger <ellisonbg at gmail.com> wrote:

> I think the core question that this bug brings up is the following:
> In what situations do we want a 0MQ process to crash?
> Here is my simple answer:  never

Here's my view.

Processes should be as vulnerable as possible to internal errors, and
as robust as possible against external attacks and errors.  To give an
analogy, a living cell will self-destruct if it detects a single
internal error, yet it will resist attack from the outside by all
means possible.

Assertions are absolutely vital to robust code, they just have to be
on the right side of the cellular wall.  (And there should be such a
wall, if it's unclear whether a fault is internal or external, the
design is broken IMO.)

It definitely seems more useful that zmq_send() returns an error
rather than silently dropping a message it can't process, and I'll
take a look at that tomorrow.  It needs Sustrik's input, he presumably
has some reason for the current strategy.

-Pieter



More information about the zeromq-dev mailing list