Problem: possible use-after-free

Solution: check for failure and do not access any members afterwards
2025-10-26 02:18:06 +01:00 · 2019-03-22 07:19:06 -04:00
parent f083e60d8c
commit e17232f725
2 changed files with 20 additions and 7 deletions
--- a/src/stream_engine.cpp
+++ b/src/stream_engine.cpp
@@ -297,13 +297,20 @@ void zmq::stream_engine_t::terminate ()
 }

 void zmq::stream_engine_t::in_event ()
+{
+    // ignore errors
+    const bool res = in_event_internal ();
+    LIBZMQ_UNUSED (res);
+}
+
+bool zmq::stream_engine_t::in_event_internal ()
 {
    zmq_assert (!_io_error);

    //  If still handshaking, receive and process the greeting message.
    if (unlikely (_handshaking))
        if (!handshake ())
-            return;
+            return false;

    zmq_assert (_decoder);

@@ -311,7 +318,7 @@ void zmq::stream_engine_t::in_event ()
    if (_input_stopped) {
        rm_fd (_handle);
        _io_error = true;
-        return;
+        return true; // TODO or return false in this case too?
    }

    //  If there's no data to process in the buffer...
@@ -329,12 +336,14 @@ void zmq::stream_engine_t::in_event ()
            // connection closed by peer
            errno = EPIPE;
            error (connection_error);
-            return;
+            return false;
        }
        if (rc == -1) {
-            if (errno != EAGAIN)
+            if (errno != EAGAIN) {
                error (connection_error);
-            return;
+                return false;
+            }
+            return true;
        }

        //  Adjust input size
@@ -363,13 +372,14 @@ void zmq::stream_engine_t::in_event ()
    if (rc == -1) {
        if (errno != EAGAIN) {
            error (protocol_error);
-            return;
+            return false;
        }
        _input_stopped = true;
        reset_pollin (_handle);
    }

    _session->flush ();
+    return true;
 }

 void zmq::stream_engine_t::out_event ()
@@ -497,7 +507,8 @@ bool zmq::stream_engine_t::restart_input ()
        _session->flush ();

        //  Speculative read.
-        in_event ();
+        if (!in_event_internal ())
+            return false;
    }

    return true;
--- a/src/stream_engine.hpp
+++ b/src/stream_engine.hpp
@@ -87,6 +87,8 @@ class stream_engine_t : public io_object_t, public i_engine
    void timer_event (int id_);

  private:
+    bool in_event_internal ();
+
    //  Unplug the engine from the session.
    void unplug ();