[zeromq-dev] crash in send_unsubscription

Martin Hurton hurtonm at gmail.com
Thu Apr 11 23:18:50 CEST 2013


Hi Katerina,

> Has anybody else seen this and is this a bug that should be fixed? The data
> is NULL and size_ is 0.

Just curious, what OS and C library are you using?

> void zmq::xpub_t::send_unsubscription (unsigned char *data_, size_t size_,
>
>     void *arg_)
>
> {
>
>     xpub_t *self = (xpub_t*) arg_;
>
>
>
>     if (self->options.type != ZMQ_PUB) {
>
>
>
>               //  Place the unsubscription to the queue of pending
> (un)sunscriptions
>
>               //  to be retrived by the user later on.
>
>               blob_t unsub (size_ + 1, 0);
>
>               unsub [0] = 0;
>
>               if (size_ > 0)  <ß-- Added check to prevent crash
>
>                      memcpy (&unsub [1], data_, size_); <ß---------------
>
>               self->pending.push_back (unsub);
>
>     }
>
> }
>

I think we should check for NULL pointers even when n is zero.
Could you please create a pull request so we can merge this? Thanks.

- Martin



More information about the zeromq-dev mailing list