[zeromq-dev] [PATCH] assert on 0 length messages

Dhammika Pathirana dhammika at gmail.com
Fri Aug 27 10:22:47 CEST 2010


Hi,

On receiving a new message, decoder inits a msg with size (*tmpbuf - 1).
But a sender can craft a message such that *tmpbuf is 0 (ie.
zmq::message_t msg((size_t)-1)).
This creates a remote memory corruption in the receiver.

Patch is a temporary fix, we need a better way to handle malformed messages.


Dhammika


diff --git a/src/zmq_decoder.cpp b/src/zmq_decoder.cpp
index 8e335c9..3b3e13b 100644
--- a/src/zmq_decoder.cpp
+++ b/src/zmq_decoder.cpp
@@ -55,6 +55,7 @@ bool zmq::zmq_decoder_t::one_byte_size_ready ()
     else {

         //  TODO:  Handle over-sized message decently.
+        errno_assert (*tmpbuf != 0);

         //  in_progress is initialised at this point so in theory we should
         //  close it before calling zmq_msg_init_size, however, it's a 0-byte



More information about the zeromq-dev mailing list