Commit ccb13e17 authored by Juha Reunanen's avatar Juha Reunanen

add sanity check in msg_t::rm_refs in order to avoid invalid memory access with u.zclmsg.refcnt

parent 6ab66ca5
...@@ -467,7 +467,7 @@ bool zmq::msg_t::rm_refs (int refs_) ...@@ -467,7 +467,7 @@ bool zmq::msg_t::rm_refs (int refs_)
} }
// The only message type that needs special care are long and zcopy messages. // The only message type that needs special care are long and zcopy messages.
if (!u.lmsg.content->refcnt.sub (refs_)) { if (u.base.type == type_lmsg && !u.lmsg.content->refcnt.sub(refs_)) {
// We used "placement new" operator to initialize the reference // We used "placement new" operator to initialize the reference
// counter so we call the destructor explicitly now. // counter so we call the destructor explicitly now.
u.lmsg.content->refcnt.~atomic_counter_t (); u.lmsg.content->refcnt.~atomic_counter_t ();
...@@ -479,7 +479,7 @@ bool zmq::msg_t::rm_refs (int refs_) ...@@ -479,7 +479,7 @@ bool zmq::msg_t::rm_refs (int refs_)
return false; return false;
} }
if (!u.zclmsg.refcnt->sub (refs_)) { if (is_zcmsg() && !u.zclmsg.refcnt->sub(refs_)) {
// storage for rfcnt is provided externally // storage for rfcnt is provided externally
if (u.zclmsg.ffn) { if (u.zclmsg.ffn) {
u.zclmsg.ffn(u.zclmsg.data, u.zclmsg.hint); u.zclmsg.ffn(u.zclmsg.data, u.zclmsg.hint);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment