[zeromq-dev] [PATCH] assert on 0 length messages

Pieter Hintjens ph at imatix.com
Fri Aug 27 12:27:31 CEST 2010


Dhammika,

Thanks for this patch.  Can you please (and sorry for the double
effort) repost this and state that you license it under MIT/X11?  Even
a 1-line fix needs to be properly handled.

We really need a better way to organize patches IMO...

-Pieter

On Fri, Aug 27, 2010 at 10:22 AM, Dhammika Pathirana <dhammika at gmail.com> wrote:
> Hi,
>
> On receiving a new message, decoder inits a msg with size (*tmpbuf - 1).
> But a sender can craft a message such that *tmpbuf is 0 (ie.
> zmq::message_t msg((size_t)-1)).
> This creates a remote memory corruption in the receiver.
>
> Patch is a temporary fix, we need a better way to handle malformed messages.
>
>
> Dhammika
>
>
> diff --git a/src/zmq_decoder.cpp b/src/zmq_decoder.cpp
> index 8e335c9..3b3e13b 100644
> --- a/src/zmq_decoder.cpp
> +++ b/src/zmq_decoder.cpp
> @@ -55,6 +55,7 @@ bool zmq::zmq_decoder_t::one_byte_size_ready ()
>     else {
>
>         //  TODO:  Handle over-sized message decently.
> +        errno_assert (*tmpbuf != 0);
>
>         //  in_progress is initialised at this point so in theory we should
>         //  close it before calling zmq_msg_init_size, however, it's a 0-byte
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev at lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
>



-- 
-
Pieter Hintjens
iMatix - www.imatix.com



More information about the zeromq-dev mailing list