Problem: pointer overflow in zmq::v2_decoder_t::size_ready leading to remote…

Problem: pointer overflow in zmq::v2_decoder_t::size_ready leading to remote code execution (issue #3351) Solution: refactor bounds check arithmetic such that no overflow shall occur Signed-off-by: Guido Vranken <guidovranken@gmail.com>

Problem: pointer overflow in zmq::v2_decoder_t::size_ready leading to remote…
Problem: pointer overflow in zmq::v2_decoder_t::size_ready leading to remote code execution (issue #3351) Solution: refactor bounds check arithmetic such that no overflow shall occur Signed-off-by: Guido Vranken <guidovranken@gmail.com>
1a2ed127 · Guido Vranken · 7302b9b8 · 1a2ed127
Commit 1a2ed127 authored Jan 08, 2019 by Guido Vranken
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 2 deletions

v2_decoder.cpp src/v2_decoder.cpp +1 -2

No files found.
--- a/src/v2_decoder.cpp
+++ b/src/v2_decoder.cpp
@@ -115,8 +115,7 @@ int zmq::v2_decoder_t::size_ready (uint64_t msg_size_,
    shared_message_memory_allocator &allocator = get_allocator ();
    if (unlikely (!_zero_copy
-                  || ((unsigned char *) read_pos_ + msg_size_
+                  || msg_size_ > allocator.data () + allocator.size () - read_pos_ )) {
-                      > (allocator.data () + allocator.size ())))) {
        // a new message has started, but the size would exceed the pre-allocated arena
        // this happens every time when a message does not fit completely into the buffer
        rc = _in_progress.init_size (static_cast<size_t> (msg_size_));