Commit 45c68154 authored by Thomas Rodgers's avatar Thomas Rodgers

resolve #1292 ZMQ_IDENTITY_FD does not validate option_len

parent 4e9e719f
...@@ -34,7 +34,7 @@ zmq::router_t::router_t (class ctx_t *parent_, uint32_t tid_, int sid_) : ...@@ -34,7 +34,7 @@ zmq::router_t::router_t (class ctx_t *parent_, uint32_t tid_, int sid_) :
next_rid (generate_random ()), next_rid (generate_random ()),
mandatory (false), mandatory (false),
// raw_sock functionality in ROUTER is deprecated // raw_sock functionality in ROUTER is deprecated
raw_sock (false), raw_sock (false),
probe_router (false), probe_router (false),
handover (false) handover (false)
{ {
...@@ -118,8 +118,8 @@ int zmq::router_t::xsetsockopt (int option_, const void *optval_, ...@@ -118,8 +118,8 @@ int zmq::router_t::xsetsockopt (int option_, const void *optval_,
return 0; return 0;
} }
break; break;
case ZMQ_ROUTER_HANDOVER: case ZMQ_ROUTER_HANDOVER:
if (is_int && value >= 0) { if (is_int && value >= 0) {
handover = (value != 0); handover = (value != 0);
return 0; return 0;
...@@ -142,7 +142,13 @@ int zmq::router_t::xgetsockopt (int option_, const void *optval_, ...@@ -142,7 +142,13 @@ int zmq::router_t::xgetsockopt (int option_, const void *optval_,
*optvallen_=sizeof(fd_t); *optvallen_=sizeof(fd_t);
return 0; return 0;
} }
if (optval_ && optvallen_ && *optvallen_) { if (optval_ && optvallen_ && *optvallen_) {
if (*optvallen_ < sizeof(fd_t)) {
*optvallen_=sizeof(fd_t);
return EINVAL;
}
blob_t identity= blob_t((unsigned char*)optval_,*optvallen_); blob_t identity= blob_t((unsigned char*)optval_,*optvallen_);
outpipes_t::iterator it = outpipes.find (identity); outpipes_t::iterator it = outpipes.find (identity);
if (it == outpipes.end() ){ if (it == outpipes.end() ){
...@@ -420,10 +426,10 @@ bool zmq::router_t::identify_peer (pipe_t *pipe_) ...@@ -420,10 +426,10 @@ bool zmq::router_t::identify_peer (pipe_t *pipe_)
connect_rid.length()); connect_rid.length());
connect_rid.clear (); connect_rid.clear ();
outpipes_t::iterator it = outpipes.find (identity); outpipes_t::iterator it = outpipes.find (identity);
if (it != outpipes.end ()) if (it != outpipes.end ())
zmq_assert(false); // Not allowed to duplicate an existing rid zmq_assert(false); // Not allowed to duplicate an existing rid
} }
else else
if (options.raw_sock) { // Always assign identity for raw-socket if (options.raw_sock) { // Always assign identity for raw-socket
unsigned char buf [5]; unsigned char buf [5];
buf [0] = 0; buf [0] = 0;
...@@ -431,7 +437,7 @@ bool zmq::router_t::identify_peer (pipe_t *pipe_) ...@@ -431,7 +437,7 @@ bool zmq::router_t::identify_peer (pipe_t *pipe_)
identity = blob_t (buf, sizeof buf); identity = blob_t (buf, sizeof buf);
} }
else else
if (!options.raw_sock) { if (!options.raw_sock) {
// Pick up handshake cases and also case where next identity is set // Pick up handshake cases and also case where next identity is set
msg.init (); msg.init ();
ok = pipe_->read (&msg); ok = pipe_->read (&msg);
...@@ -457,7 +463,7 @@ bool zmq::router_t::identify_peer (pipe_t *pipe_) ...@@ -457,7 +463,7 @@ bool zmq::router_t::identify_peer (pipe_t *pipe_)
return false; return false;
else { else {
// We will allow the new connection to take over this // We will allow the new connection to take over this
// identity. Temporarily assign a new identity to the // identity. Temporarily assign a new identity to the
// existing pipe so we can terminate it asynchronously. // existing pipe so we can terminate it asynchronously.
unsigned char buf [5]; unsigned char buf [5];
buf [0] = 0; buf [0] = 0;
...@@ -465,13 +471,13 @@ bool zmq::router_t::identify_peer (pipe_t *pipe_) ...@@ -465,13 +471,13 @@ bool zmq::router_t::identify_peer (pipe_t *pipe_)
blob_t new_identity = blob_t (buf, sizeof buf); blob_t new_identity = blob_t (buf, sizeof buf);
it->second.pipe->set_identity (new_identity); it->second.pipe->set_identity (new_identity);
outpipe_t existing_outpipe = outpipe_t existing_outpipe =
{it->second.pipe, it->second.active}; {it->second.pipe, it->second.active};
ok = outpipes.insert (outpipes_t::value_type ( ok = outpipes.insert (outpipes_t::value_type (
new_identity, existing_outpipe)).second; new_identity, existing_outpipe)).second;
zmq_assert (ok); zmq_assert (ok);
// Remove the existing identity entry to allow the new // Remove the existing identity entry to allow the new
// connection to take the identity. // connection to take the identity.
outpipes.erase (it); outpipes.erase (it);
......
...@@ -26,7 +26,7 @@ int main (void) ...@@ -26,7 +26,7 @@ int main (void)
void *ctx = zmq_ctx_new (); void *ctx = zmq_ctx_new ();
assert (ctx); assert (ctx);
void *client = zmq_socket (ctx, ZMQ_REQ); void *client = zmq_socket (ctx, ZMQ_REQ);
assert (client); assert (client);
...@@ -38,45 +38,53 @@ int main (void) ...@@ -38,45 +38,53 @@ int main (void)
assert (rc == 0); assert (rc == 0);
rc = zmq_connect (client, "tcp://127.0.0.1:9998"); rc = zmq_connect (client, "tcp://127.0.0.1:9998");
assert (rc == 0); assert (rc == 0);
rc=zmq_send(client,"1234567890",10,0); rc=zmq_send(client,"1234567890",10,0);
assert (rc != -1); assert (rc != -1);
int partnumber=1; int partnumber=1;
int recvfd=-1; int recvfd=-1;
zmq_msg_t part; zmq_msg_t part;
do { do {
/* if not first free prev message part */ /* if not first free prev message part */
if (partnumber!=1) zmq_msg_close (&part); if (partnumber!=1) zmq_msg_close (&part);
/* Create an empty ØMQ message to hold the message part */ /* Create an empty ØMQ message to hold the message part */
int rc = zmq_msg_init (&part); int rc = zmq_msg_init (&part);
assert (rc == 0); assert (rc == 0);
/* Block until a message is available to be received from socket */ /* Block until a message is available to be received from socket */
rc = zmq_msg_recv (&part,server, 0); rc = zmq_msg_recv (&part,server, 0);
assert (rc != -1); assert (rc != -1);
if (partnumber==1) {// this is the identity of the receiving pipe if (partnumber==1) {// this is the identity of the receiving pipe
//buffer for zmq_getsockopt / ZMQ_IDENTITY_FD //buffer for zmq_getsockopt / ZMQ_IDENTITY_FD
char idbuf[255]; char idbuf[255];
size_t idbufsz=zmq_msg_size (&part); char failbuf[2];
size_t idbufsz=zmq_msg_size (&part);
size_t failsz=2;
assert (idbufsz<=255); assert (idbufsz<=255);
memcpy(idbuf,zmq_msg_data(&part),idbufsz); memcpy(idbuf,zmq_msg_data(&part),idbufsz);
failbuf[0] = idbuf[0];
failbuf[1] = 0;
// ensure that we validate buffer is sufficient to hold result
rc = zmq_getsockopt (server, ZMQ_IDENTITY_FD, failbuf, &failsz);
assert (rc == EINVAL);
rc = zmq_getsockopt (server, ZMQ_IDENTITY_FD, idbuf, &idbufsz); rc = zmq_getsockopt (server, ZMQ_IDENTITY_FD, idbuf, &idbufsz);
assert (rc == 0); assert (rc == 0);
memcpy(&recvfd,idbuf,sizeof(recvfd)); memcpy(&recvfd,idbuf,sizeof(recvfd));
//depending on your system this should be around 14 //depending on your system this should be around 14
assert (recvfd > 0); assert (recvfd > 0);
} }
partnumber++; partnumber++;
} while (zmq_msg_more(&part)); } while (zmq_msg_more(&part));
zmq_msg_close (&part); zmq_msg_close (&part);
close_zero_linger (client); close_zero_linger (client);
close_zero_linger (server); close_zero_linger (server);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment