diff options
author | Perry Kundert <perry@kundert.ca> | 2011-10-29 14:47:53 +0200 |
---|---|---|
committer | Martin Sustrik <sustrik@250bpm.com> | 2011-10-29 14:47:53 +0200 |
commit | 09574a6104ce824c43fe8261d31451ccb337d11b (patch) | |
tree | 612a254d1394676b6b446400dd8f89674f052cb2 | |
parent | 52bab42212c263a51b219ae8714c481bc948cb4e (diff) |
Corrected discarding of remainder of message when request ID invalid
When zmq::req_t::xrecv detects that a response has no request ID
label, or the ID is the wrong size, it would return an EAGAIN, but
would not discard the remainder of the message. This could allow the
remainder of the message to incorrectly "leak" into a future response,
if it is crafted to look like a reply with a valid response ID.
Discard all remaining message blocks, if the ID is invalid in any way.
-rw-r--r-- | src/req.cpp | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/req.cpp b/src/req.cpp index 04a19fb..0832f60 100644 --- a/src/req.cpp +++ b/src/req.cpp @@ -92,14 +92,20 @@ int zmq::req_t::xrecv (msg_t *msg_, int flags_) // TODO: This should also close the connection with the peer! if (unlikely (!(msg_->flags () & msg_t::label) || msg_->size () != 4)) { + while (true) { + int rc = xreq_t::xrecv (msg_, flags_); + errno_assert (rc == 0); + if (!(msg_->flags () & (msg_t::label | msg_t::more))) + break; + } + msg_->close (); + msg_->init (); errno = EAGAIN; return -1; } unsigned char *data = (unsigned char*) msg_->data (); if (unlikely (get_uint32 (data) != request_id)) { - - // The request ID does not match. Drop the entire message. while (true) { int rc = xreq_t::xrecv (msg_, flags_); errno_assert (rc == 0); |