From 3da6fde5921b9dd1b5db54981d6769c0afca9b73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Val=C3=A8s?=
 <7755128+stvales@users.noreply.github.com>
Date: Fri, 7 Aug 2020 10:13:52 +0200
Subject: [PATCH] Problem : if socket is invalid for any reason,
 as_socket_base_t() will return NULL and 'as_socket_base_t
 (items_[i].socket)->is_thread_safe ()' will crash (#4004)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Problem : if socket is invalid for any reason, as_socket_base_t() will return NULL and 'as_socket_base_t (items_[i].socket)->is_thread_safe ()' will crash

Solution: expand the code to test the returned value from as_socket_base_t() before calling is_thread_safe() and make zmq_poll() return -1 if as_socket_base_t() returned NULL.

NB: this occurred on the destruction of a SUB socket while running a zloop and without previously calling zloop_reader_set_tolerant and zloop_reader_end. When entering zmq_poll, the PUB socket was already destroyed but still registered in the poll items.

NB: making zmq_poll return -1 is OK as it is what happens anyway, and errno is properly set to ENOTSOCK by as_socket_base_t() when it returns NULL.

Co-authored-by: Stéphane Valès <stephane@vales.fr@users.noreply.github.com>
---
 src/zmq.cpp | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/zmq.cpp b/src/zmq.cpp
index 834f668f..59e235a9 100644
--- a/src/zmq.cpp
+++ b/src/zmq.cpp
@@ -855,9 +855,15 @@ int zmq_poll (zmq_pollitem_t *items_, int nitems_, long timeout_)
     // if poller is present, use that if there is at least 1 thread-safe socket,
     // otherwise fall back to the previous implementation as it's faster.
     for (int i = 0; i != nitems_; i++) {
-        if (items_[i].socket
-            && as_socket_base_t (items_[i].socket)->is_thread_safe ()) {
-            return zmq_poller_poll (items_, nitems_, timeout_);
+        if (items_[i].socket) {
+            zmq::socket_base_t *s = as_socket_base_t (items_[i].socket);
+            if (s) {
+                if (s->is_thread_safe ())
+                    return zmq_poller_poll (items_, nitems_, timeout_);
+            } else {
+                //as_socket_base_t returned NULL : socket is invalid
+                return -1;
+            }
         }
     }
 #endif // ZMQ_HAVE_POLLER