generic-library/libzmq
1
0
Fork 0
mirror of https://github.com/zeromq/libzmq.git synced 2025-09-27 16:29:34 +02:00
Code Issues Projects Releases Wiki Activity

Problem: pointer overflow in zmq::v2_decoder_t::size_ready leading to remote code execution (issue #3351)

Browse Source 
Solution: refactor bounds check arithmetic such that no overflow shall occur

Signed-off-by: Guido Vranken <guidovranken@gmail.com>
This commit is contained in:
Guido Vranken 2019-01-08 23:39:41 +01:00
parent 7302b9b8d1
commit 1a2ed12716
1 changed files with 1 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
src/v2_decoder.cpp
View File

@ -115,8 +115,7 @@ int zmq::v2_decoder_t::size_ready (uint64_t msg_size_,
shared_message_memory_allocator &allocator = get_allocator ();
if (unlikely (!_zero_copy
|| ((unsigned char *) read_pos_ + msg_size_
> (allocator.data () + allocator.size ())))) {
|| msg_size_ > allocator.data () + allocator.size () - read_pos_ )) {
// a new message has started, but the size would exceed the pre-allocated arena
// this happens every time when a message does not fit completely into the buffer
rc = _in_progress.init_size (static_cast<size_t> (msg_size_));