generic-library/libzmq
1
0
Fork 0
mirror of https://github.com/zeromq/libzmq.git synced 2025-10-29 12:18:04 +01:00
Code Issues Projects Releases Wiki Activity

Corrected discarding of remainder of message when request ID invalid

Browse Source 
When zmq::req_t::xrecv detects that a response has no request ID
label, or the ID is the wrong size, it would return an EAGAIN, but
would not discard the remainder of the message.  This could allow the
remainder of the message to incorrectly "leak" into a future response,
if it is crafted to look like a reply with a valid response ID.
Discard all remaining message blocks, if the ID is invalid in any way.
This commit is contained in:
Perry Kundert
2011-10-29 14:47:53 +02:00
committed by Martin Sustrik
parent 52bab42212
commit 09574a6104
1 changed files with 8 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/req.cpp
View File

@@ -92,14 +92,20 @@ int zmq::req_t::xrecv (msg_t *msg_, int flags_)
// TODO: This should also close the connection with the peer!
if (unlikely (!(msg_->flags () & msg_t::label) || msg_->size () != 4)) {
while (true) {
int rc = xreq_t::xrecv (msg_, flags_);
errno_assert (rc == 0);
if (!(msg_->flags () & (msg_t::label | msg_t::more)))
break;
}
msg_->close ();
msg_->init ();
errno = EAGAIN;
return -1;
}
unsigned char *data = (unsigned char*) msg_->data ();
if (unlikely (get_uint32 (data) != request_id)) {
// The request ID does not match. Drop the entire message.
while (true) {
int rc = xreq_t::xrecv (msg_, flags_);
errno_assert (rc == 0);