From 410f891599b12b39cc4009a91747e506ed1a2475 Mon Sep 17 00:00:00 2001
From: Martin Hurton <hurtonm@gmail.com>
Date: Wed, 14 May 2014 14:12:04 +0200
Subject: [PATCH] Prefix error-reason with length in ERROR command

---
 src/null_mechanism.cpp | 13 +++++++++----
 src/plain_client.cpp   |  8 ++++++--
 src/plain_server.cpp   |  5 +++--
 3 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/src/null_mechanism.cpp b/src/null_mechanism.cpp
index b5a351c4..cb4b2644 100644
--- a/src/null_mechanism.cpp
+++ b/src/null_mechanism.cpp
@@ -78,12 +78,13 @@ int zmq::null_mechanism_t::next_handshake_command (msg_t *msg_)
 
     if (zap_reply_received
     &&  strncmp (status_code, "200", sizeof status_code) != 0) {
-        const int rc = msg_->init_size (6 + sizeof status_code);
+        const int rc = msg_->init_size (6 + 1 + sizeof status_code);
         zmq_assert (rc == 0);
         unsigned char *msg_data =
             static_cast <unsigned char *> (msg_->data ());
         memcpy (msg_data, "\5ERROR", 6);
-        memcpy (msg_data + 6, status_code, sizeof status_code);
+        msg_data [6] = sizeof status_code;
+        memcpy (msg_data + 7, status_code, sizeof status_code);
         error_command_sent = true;
         return 0;
     }
@@ -163,8 +164,12 @@ int zmq::null_mechanism_t::process_ready_command (
 int zmq::null_mechanism_t::process_error_command (
         const unsigned char *cmd_data, size_t data_size)
 {
-    const size_t error_reason_len = data_size - 6;
-    if (error_reason_len < 1 || error_reason_len > 255) {
+    if (data_size < 7) {
+        errno = EPROTO;
+        return -1;
+    }
+    const size_t error_reason_len = static_cast <size_t> (cmd_data [6]);
+    if (error_reason_len > data_size - 7) {
         errno = EPROTO;
         return -1;
     }
diff --git a/src/plain_client.cpp b/src/plain_client.cpp
index 2bf5a881..38e77b61 100644
--- a/src/plain_client.cpp
+++ b/src/plain_client.cpp
@@ -199,8 +199,12 @@ int zmq::plain_client_t::process_error (
         errno = EPROTO;
         return -1;
     }
-    const size_t error_reason_len = data_size - 6;
-    if (error_reason_len < 1 || error_reason_len > 255) {
+    if (data_size < 7) {
+        errno = EPROTO;
+        return -1;
+    }
+    const size_t error_reason_len = static_cast <size_t> (cmd_data [6]);
+    if (error_reason_len > data_size - 7) {
         errno = EPROTO;
         return -1;
     }
diff --git a/src/plain_server.cpp b/src/plain_server.cpp
index d487454a..211e9fa4 100644
--- a/src/plain_server.cpp
+++ b/src/plain_server.cpp
@@ -261,11 +261,12 @@ int zmq::plain_server_t::produce_ready (msg_t *msg_) const
 int zmq::plain_server_t::produce_error (msg_t *msg_) const
 {
     zmq_assert (status_code.length () == 3);
-    const int rc = msg_->init_size (6 + status_code.length ());
+    const int rc = msg_->init_size (6 + 1 + status_code.length ());
     zmq_assert (rc == 0);
     char *msg_data = static_cast <char *> (msg_->data ());
     memcpy (msg_data, "\5ERROR", 6);
-    memcpy (msg_data + 6, status_code.c_str (), status_code.length ());
+    msg_data [6] = status_code.length ();
+    memcpy (msg_data + 7, status_code.c_str (), status_code.length ());
     return 0;
 }