resolve #1292 ZMQ_IDENTITY_FD does not validate option_len

2025-10-15 23:20:09 +02:00 · 2015-01-08 08:37:28 -06:00
parent 4e9e719ff3
commit 45c6815446
2 changed files with 37 additions and 23 deletions
--- a/src/router.cpp
+++ b/src/router.cpp
@@ -142,7 +142,13 @@ int zmq::router_t::xgetsockopt (int option_, const void *optval_,
                *optvallen_=sizeof(fd_t);
                return 0;
            }
+
            if (optval_ && optvallen_ && *optvallen_) {
+                if (*optvallen_ < sizeof(fd_t)) {
+                    *optvallen_=sizeof(fd_t);
+                    return EINVAL;
+                }
+
                blob_t identity= blob_t((unsigned char*)optval_,*optvallen_);
                outpipes_t::iterator it = outpipes.find (identity);
                if (it == outpipes.end() ){
--- a/tests/test_id2fd.cpp
+++ b/tests/test_id2fd.cpp
@@ -61,10 +61,18 @@ int main (void)

            //buffer for  zmq_getsockopt / ZMQ_IDENTITY_FD
            char idbuf[255];
+            char failbuf[2];
            size_t idbufsz=zmq_msg_size (&part);
+            size_t failsz=2;

            assert (idbufsz<=255);
            memcpy(idbuf,zmq_msg_data(&part),idbufsz);
+            failbuf[0] = idbuf[0];
+            failbuf[1] = 0;
+
+            // ensure that we validate buffer is sufficient to hold result
+            rc = zmq_getsockopt (server, ZMQ_IDENTITY_FD, failbuf, &failsz);
+            assert (rc == EINVAL);

            rc = zmq_getsockopt (server, ZMQ_IDENTITY_FD, idbuf, &idbufsz);
            assert (rc == 0);