Dhammika, Thanks for this patch. Can you please (and sorry for the double effort) repost this and state that you license it under MIT/X11? Even a 1-line fix needs to be properly handled.
We really need a better way to organize patches IMO... -Pieter On Fri, Aug 27, 2010 at 10:22 AM, Dhammika Pathirana <dhamm...@gmail.com> wrote: > Hi, > > On receiving a new message, decoder inits a msg with size (*tmpbuf - 1). > But a sender can craft a message such that *tmpbuf is 0 (ie. > zmq::message_t msg((size_t)-1)). > This creates a remote memory corruption in the receiver. > > Patch is a temporary fix, we need a better way to handle malformed messages. > > > Dhammika > > > diff --git a/src/zmq_decoder.cpp b/src/zmq_decoder.cpp > index 8e335c9..3b3e13b 100644 > --- a/src/zmq_decoder.cpp > +++ b/src/zmq_decoder.cpp > @@ -55,6 +55,7 @@ bool zmq::zmq_decoder_t::one_byte_size_ready () > else { > > // TODO: Handle over-sized message decently. > + errno_assert (*tmpbuf != 0); > > // in_progress is initialised at this point so in theory we should > // close it before calling zmq_msg_init_size, however, it's a 0-byte > _______________________________________________ > zeromq-dev mailing list > zeromq-dev@lists.zeromq.org > http://lists.zeromq.org/mailman/listinfo/zeromq-dev > > -- - Pieter Hintjens iMatix - www.imatix.com _______________________________________________ zeromq-dev mailing list zeromq-dev@lists.zeromq.org http://lists.zeromq.org/mailman/listinfo/zeromq-dev