Public bug reported:
The following function looks like it will access a 32-bit data element
that is improperly aligned:
void zmq::socket_base_t::monitor_event (int event_, int value_, const
std::string &addr_)
{
if (monitor_socket) {
// Send event in first frame
zmq_msg_t msg;
zmq_msg_init_size (&msg, 6);
uint8_t *data = (uint8_t *) zmq_msg_data (&msg);
*(uint16_t *) (data + 0) = (uint16_t) event_;
*(uint32_t *) (data + 2) = (uint32_t) value_;
zmq_sendmsg (monitor_socket, &msg, ZMQ_SNDMORE);
// Send address in second frame
zmq_msg_init_size (&msg, addr_.size());
memcpy (zmq_msg_data (&msg), addr_.c_str (), addr_.size ());
zmq_sendmsg (monitor_socket, &msg, 0);
}
}
On many platforms this will cause a SIGBUS.
It looks like upstream has already fixed this issue:
https://github.com/zeromq/libzmq/blob/master/src/socket_base.cpp#L1683
The current code looks like:
void zmq::socket_base_t::monitor_event (int event_, intptr_t value_, const
std::string &addr_)
{
if (monitor_socket) {
// Send event in first frame
zmq_msg_t msg;
zmq_msg_init_size (&msg, 6);
uint8_t *data = (uint8_t *) zmq_msg_data (&msg);
// Avoid dereferencing uint32_t on unaligned address
uint16_t event = (uint16_t) event_;
uint32_t value = (uint32_t) value_;
memcpy (data + 0, &event, sizeof(event));
memcpy (data + 2, &value, sizeof(value));
zmq_sendmsg (monitor_socket, &msg, ZMQ_SNDMORE);
// Send address in second frame
zmq_msg_init_size (&msg, addr_.size());
memcpy (zmq_msg_data (&msg), addr_.c_str (), addr_.size ());
zmq_sendmsg (monitor_socket, &msg, 0);
}
}
Thanks
** Affects: zeromq3 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1623792
Title:
possible sigbus
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/zeromq3/+bug/1623792/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
