[zeromq-dev] ZMQ_STREAM does not receive 16KB but only 8KB, possible information disclosure

Goswin von Brederlow goswin-v-b at web.de
Thu Jun 26 10:25:25 CEST 2014


On Tue, Jun 24, 2014 at 02:25:48PM +0200, Mathias Hablützel wrote:
> Hi everyone,
> 
> I ran into the issue that sending more than 8KB of data with ZMQ_STREAM
> (yeah I know, zmq is not intended for that ??? anyway) that on the receiver
> side it gets truncated.
> 
> PoC
> https://gist.github.com/0x6d686b/16f79e092156dae223c9
> 
> If you look in the memory dump you'll see that at 0x2000 (or 8196 bytes) it
> changes from received payload to pre-initialised memory, and also that the
> received payload get's split in two part of 8196 bytes.
> 
> IMO this MAY result in leaking sensitive information (information
> disclosure) if the server side would just reply with the received payload
> (like ping does).

The bug is in your code. Line 77 in server.c should read:

    hexdump (buffer, recveived_bytes);

If you ignore the amound of data actually received that is your problem.
 
> I also suggest to document this in the "manpage" of zmq_socket ZMQ_STREAM
> that the biggest batch size is 8KB.
> 
> Mathias

It is interesting that you get 8KB chunks. I would have expected 64KB
or 128KB chunks as the limit. Anyway, what you have here are two things:

1) ZMQ_STREAM is a byte stream and gets send out over tcp in chunks of
whatever MTU the tcp connection negotiates. With ethernet, unless you
have gigabit ethernet with jumbo frames, this will be far less than
8KB. Your test uses localhost so it won't be ethernet at all and
simply pass the data around in-kernel. So in this special case you
don't get the stream cut into even smaller chunks.

2) A socket has a limited receive buffer. A receive will never get
more than the full buffer size. If the default buffer size is 8KB on
your system then that is what you get as maximum. You can get less
than the full size though if not enough data has arrived yet.



As a side note: Never use ZMQ_STREAM between 2 ZeroMQ apps. It is
simply a hack to support connecting to or provide existing non-ZeroMQ
interfaces.

MfG
	Goswin



More information about the zeromq-dev mailing list