summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPerry Kundert <perry@kundert.ca>2011-10-29 14:47:53 +0200
committerMartin Sustrik <sustrik@250bpm.com>2011-10-29 14:47:53 +0200
commit09574a6104ce824c43fe8261d31451ccb337d11b (patch)
tree612a254d1394676b6b446400dd8f89674f052cb2
parent52bab42212c263a51b219ae8714c481bc948cb4e (diff)
Corrected discarding of remainder of message when request ID invalid
When zmq::req_t::xrecv detects that a response has no request ID label, or the ID is the wrong size, it would return an EAGAIN, but would not discard the remainder of the message. This could allow the remainder of the message to incorrectly "leak" into a future response, if it is crafted to look like a reply with a valid response ID. Discard all remaining message blocks, if the ID is invalid in any way.
-rw-r--r--src/req.cpp10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/req.cpp b/src/req.cpp
index 04a19fb..0832f60 100644
--- a/src/req.cpp
+++ b/src/req.cpp
@@ -92,14 +92,20 @@ int zmq::req_t::xrecv (msg_t *msg_, int flags_)
// TODO: This should also close the connection with the peer!
if (unlikely (!(msg_->flags () & msg_t::label) || msg_->size () != 4)) {
+ while (true) {
+ int rc = xreq_t::xrecv (msg_, flags_);
+ errno_assert (rc == 0);
+ if (!(msg_->flags () & (msg_t::label | msg_t::more)))
+ break;
+ }
+ msg_->close ();
+ msg_->init ();
errno = EAGAIN;
return -1;
}
unsigned char *data = (unsigned char*) msg_->data ();
if (unlikely (get_uint32 (data) != request_id)) {
-
- // The request ID does not match. Drop the entire message.
while (true) {
int rc = xreq_t::xrecv (msg_, flags_);
errno_assert (rc == 0);