Dhammika,
Thanks for this patch. Can you please (and sorry for the double
effort) repost this and state that you license it under MIT/X11? Even
a 1-line fix needs to be properly handled.
We really need a better way to organize patches IMO...
-Pieter
On Fri, Aug 27, 2010 at 10:22 AM, Dhammika Pathirana <dhamm...@gmail.com> wrote:
> Hi,
>
> On receiving a new message, decoder inits a msg with size (*tmpbuf - 1).
> But a sender can craft a message such that *tmpbuf is 0 (ie.
> zmq::message_t msg((size_t)-1)).
> This creates a remote memory corruption in the receiver.
>
> Patch is a temporary fix, we need a better way to handle malformed messages.
>
>
> Dhammika
>
>
> diff --git a/src/zmq_decoder.cpp b/src/zmq_decoder.cpp
> index 8e335c9..3b3e13b 100644
> --- a/src/zmq_decoder.cpp
> +++ b/src/zmq_decoder.cpp
> @@ -55,6 +55,7 @@ bool zmq::zmq_decoder_t::one_byte_size_ready ()
> else {
>
> // TODO: Handle over-sized message decently.
> + errno_assert (*tmpbuf != 0);
>
> // in_progress is initialised at this point so in theory we should
> // close it before calling zmq_msg_init_size, however, it's a 0-byte
> _______________________________________________
> zeromq-dev mailing list
> zeromq-dev@lists.zeromq.org
> http://lists.zeromq.org/mailman/listinfo/zeromq-dev
>
>
--
-
Pieter Hintjens
iMatix - www.imatix.com
_______________________________________________
zeromq-dev mailing list
zeromq-dev@lists.zeromq.org
http://lists.zeromq.org/mailman/listinfo/zeromq-dev
