Hi,
On receiving a new message, decoder inits a msg with size (*tmpbuf - 1).
But a sender can craft a message such that *tmpbuf is 0 (ie.
zmq::message_t msg((size_t)-1)).
This creates a remote memory corruption in the receiver.
Patch is a temporary fix, we need a better way to handle malformed messages.
Dhammika
diff --git a/src/zmq_decoder.cpp b/src/zmq_decoder.cpp
index 8e335c9..3b3e13b 100644
--- a/src/zmq_decoder.cpp
+++ b/src/zmq_decoder.cpp
@@ -55,6 +55,7 @@ bool zmq::zmq_decoder_t::one_byte_size_ready ()
else {
// TODO: Handle over-sized message decently.
+ errno_assert (*tmpbuf != 0);
// in_progress is initialised at this point so in theory we should
// close it before calling zmq_msg_init_size, however, it's a 0-byte
_______________________________________________
zeromq-dev mailing list
[email protected]
http://lists.zeromq.org/mailman/listinfo/zeromq-dev
