Merge pull request #1293 from rodgert/master

resolve #1292 ZMQ_IDENTITY_FD does not validate option_len
2024-12-29 00:32:34 +08:00 · 2015-01-08 16:39:18 +01:00 · 2015-01-08 16:39:18 +01:00 · 1ae98c7422
commit 1ae98c7422
parent 4e9e719ff3 45c6815446
2 changed files with 37 additions and 23 deletions
--- a/src/router.cpp
+++ b/src/router.cpp
@ -34,7 +34,7 @@ zmq::router_t::router_t (class ctx_t *parent_, uint32_t tid_, int sid_) :
    next_rid (generate_random ()),
    mandatory (false),
    //  raw_sock functionality in ROUTER is deprecated
-    raw_sock (false),       
+    raw_sock (false),
    probe_router (false),
    handover (false)
 {
@ -118,8 +118,8 @@ int zmq::router_t::xsetsockopt (int option_, const void *optval_,
                return 0;
            }
            break;
-            
-        case ZMQ_ROUTER_HANDOVER: 
+
+        case ZMQ_ROUTER_HANDOVER:
            if (is_int && value >= 0) {
                handover = (value != 0);
                return 0;
@ -142,7 +142,13 @@ int zmq::router_t::xgetsockopt (int option_, const void *optval_,
                *optvallen_=sizeof(fd_t);
                return 0;
            }
+
            if (optval_ && optvallen_ && *optvallen_) {
+                if (*optvallen_ < sizeof(fd_t)) {
+                    *optvallen_=sizeof(fd_t);
+                    return EINVAL;
+                }
+
                blob_t identity= blob_t((unsigned char*)optval_,*optvallen_);
                outpipes_t::iterator it = outpipes.find (identity);
                if (it == outpipes.end() ){
@ -420,10 +426,10 @@ bool zmq::router_t::identify_peer (pipe_t *pipe_)
            connect_rid.length());
        connect_rid.clear ();
        outpipes_t::iterator it = outpipes.find (identity);
-        if (it != outpipes.end ()) 
+        if (it != outpipes.end ())
            zmq_assert(false); //  Not allowed to duplicate an existing rid
    }
-    else 
+    else
    if (options.raw_sock) { //  Always assign identity for raw-socket
        unsigned char buf [5];
        buf [0] = 0;
@ -431,7 +437,7 @@ bool zmq::router_t::identify_peer (pipe_t *pipe_)
        identity = blob_t (buf, sizeof buf);
    }
    else
-    if (!options.raw_sock) { 
+    if (!options.raw_sock) {
        //  Pick up handshake cases and also case where next identity is set
        msg.init ();
        ok = pipe_->read (&msg);
@ -457,7 +463,7 @@ bool zmq::router_t::identify_peer (pipe_t *pipe_)
                    return false;
                else {
                    //  We will allow the new connection to take over this
-                    //  identity. Temporarily assign a new identity to the 
+                    //  identity. Temporarily assign a new identity to the
                    //  existing pipe so we can terminate it asynchronously.
                    unsigned char buf [5];
                    buf [0] = 0;
@ -465,13 +471,13 @@ bool zmq::router_t::identify_peer (pipe_t *pipe_)
                    blob_t new_identity = blob_t (buf, sizeof buf);

                    it->second.pipe->set_identity (new_identity);
-                    outpipe_t existing_outpipe = 
+                    outpipe_t existing_outpipe =
                        {it->second.pipe, it->second.active};
-                
+
                    ok = outpipes.insert (outpipes_t::value_type (
                        new_identity, existing_outpipe)).second;
                    zmq_assert (ok);
-                
+
                    //  Remove the existing identity entry to allow the new
                    //  connection to take the identity.
                    outpipes.erase (it);
--- a/tests/test_id2fd.cpp
+++ b/tests/test_id2fd.cpp
@ -26,7 +26,7 @@ int main (void)

    void *ctx = zmq_ctx_new ();
    assert (ctx);
-    
+
    void *client = zmq_socket (ctx, ZMQ_REQ);
    assert (client);

@ -38,45 +38,53 @@ int main (void)
    assert (rc == 0);
    rc = zmq_connect (client, "tcp://127.0.0.1:9998");
    assert (rc == 0);
-    
+
    rc=zmq_send(client,"1234567890",10,0);
    assert (rc != -1);
-    
+

    int partnumber=1;
    int recvfd=-1;
    zmq_msg_t part;
    do {
        /* if not first free prev message part */
-        if (partnumber!=1) zmq_msg_close (&part); 
+        if (partnumber!=1) zmq_msg_close (&part);

        /* Create an empty ØMQ message to hold the message part */
        int rc = zmq_msg_init (&part);
        assert (rc == 0);
-        
+
        /* Block until a message is available to be received from socket */
        rc = zmq_msg_recv (&part,server, 0);
        assert (rc != -1);
        if (partnumber==1) {// this is the identity of the receiving pipe
-            
+
            //buffer for  zmq_getsockopt / ZMQ_IDENTITY_FD
-            char idbuf[255]; 
-            size_t  idbufsz=zmq_msg_size (&part);
-            
+            char idbuf[255];
+            char failbuf[2];
+            size_t idbufsz=zmq_msg_size (&part);
+            size_t failsz=2;
+
            assert (idbufsz<=255);
            memcpy(idbuf,zmq_msg_data(&part),idbufsz);
-            
+            failbuf[0] = idbuf[0];
+            failbuf[1] = 0;
+
+            // ensure that we validate buffer is sufficient to hold result
+            rc = zmq_getsockopt (server, ZMQ_IDENTITY_FD, failbuf, &failsz);
+            assert (rc == EINVAL);
+
            rc = zmq_getsockopt (server, ZMQ_IDENTITY_FD, idbuf, &idbufsz);
            assert (rc == 0);
-            
+
            memcpy(&recvfd,idbuf,sizeof(recvfd));
-            
+
            //depending on your system this should be around 14
            assert (recvfd > 0);
        }
        partnumber++;
    } while (zmq_msg_more(&part));
-    zmq_msg_close (&part); 
+    zmq_msg_close (&part);

    close_zero_linger (client);
    close_zero_linger (server);