Problem: Possible buffer overruns related to metadata in various mechanisms (#2683)

* Problem: no test case with CURVE encryption and large identity Solution: added test case (currently crashing) * Problem: possible buffer overflow in mechanism_t::add_property Solution: add target buffer length parameter and check the buffer is sufficiently large * Problem: test cases accidentally excluded from build Solution: remove #if/#endif * Problem: possible buffer overruns related to metadata at various locations Solution: allocate buffer large enough for actual metadata, reduce code duplication * Problem: syntax error related to pointer type conversion Solution: change argument type of make_command_with_basic_properties to const char * * Problem: large metadata may cause an assertion in produce_initiate Solution: Allow metadata of arbitrary size in produce_initiate
2025-10-28 19:52:00 +01:00 · 2017-08-15 19:42:31 +02:00
parent d5e4319edc
commit 4a18f6204c
9 changed files with 162 additions and 132 deletions
--- a/src/null_mechanism.cpp
+++ b/src/null_mechanism.cpp
@@ -98,32 +98,7 @@ int zmq::null_mechanism_t::next_handshake_command (msg_t *msg_)
        return 0;
    }

-    unsigned char *const command_buffer = (unsigned char *) malloc (512);
-    alloc_assert (command_buffer);
-
-    unsigned char *ptr = command_buffer;
-
-    //  Add mechanism string
-    memcpy (ptr, "\5READY", 6);
-    ptr += 6;
-
-    //  Add socket type property
-    const char *socket_type = socket_type_string (options.type);
-    ptr += add_property (ptr, ZMQ_MSG_PROPERTY_SOCKET_TYPE, socket_type,
-                         strlen (socket_type));
-
-    //  Add identity property
-    if (options.type == ZMQ_REQ
-    ||  options.type == ZMQ_DEALER
-    ||  options.type == ZMQ_ROUTER)
-        ptr += add_property (ptr, ZMQ_MSG_PROPERTY_IDENTITY, options.identity,
-                             options.identity_size);
-
-    const size_t command_size = ptr - command_buffer;
-    const int rc = msg_->init_size (command_size);
-    errno_assert (rc == 0);
-    memcpy (msg_->data (), command_buffer, command_size);
-    free (command_buffer);
+    make_command_with_basic_properties (msg_, "\5READY", 6);

    ready_command_sent = true;