From 1a2ed12716693073032d57dac4e269df3d373751 Mon Sep 17 00:00:00 2001 From: Guido Vranken Date: Tue, 8 Jan 2019 23:39:41 +0100 Subject: [PATCH 1/3] Problem: pointer overflow in zmq::v2_decoder_t::size_ready leading to remote code execution (issue #3351) Solution: refactor bounds check arithmetic such that no overflow shall occur Signed-off-by: Guido Vranken --- src/v2_decoder.cpp | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/v2_decoder.cpp b/src/v2_decoder.cpp index 3c29da2d14..4523d6b0e9 100644 --- a/src/v2_decoder.cpp +++ b/src/v2_decoder.cpp @@ -115,8 +115,7 @@ int zmq::v2_decoder_t::size_ready (uint64_t msg_size_, shared_message_memory_allocator &allocator = get_allocator (); if (unlikely (!_zero_copy - || ((unsigned char *) read_pos_ + msg_size_ - > (allocator.data () + allocator.size ())))) { + || msg_size_ > allocator.data () + allocator.size () - read_pos_ )) { // a new message has started, but the size would exceed the pre-allocated arena // this happens every time when a message does not fit completely into the buffer rc = _in_progress.init_size (static_cast (msg_size_)); From dcf001906adb378fb0725ad6c1888a1ffabd5279 Mon Sep 17 00:00:00 2001 From: Guido Vranken Date: Tue, 8 Jan 2019 23:44:04 +0100 Subject: [PATCH 2/3] Problem: no relicense agreement by guidovranken Solution: added relicense agreement Signed-off-by: Guido Vranken --- RELICENSE/guidovranken.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 RELICENSE/guidovranken.md diff --git a/RELICENSE/guidovranken.md b/RELICENSE/guidovranken.md new file mode 100644 index 0000000000..f7e9b62c0b --- /dev/null +++ b/RELICENSE/guidovranken.md @@ -0,0 +1,17 @@ +# Permission to Relicense under MPLv2 or any other OSI approved license chosen by the current ZeroMQ BDFL + +This is a statement by Guido Vranken that grants permission to +relicense its copyrights in the libzmq C++ library (ZeroMQ) under the +Mozilla Public License v2 (MPLv2) or any other Open Source Initiative +approved license chosen by the current ZeroMQ BDFL (Benevolent +Dictator for Life). + +A portion of the commits made by the Github handle "guidovranken", with +commit author "Guido Vranken ", are +copyright of Guido Vranken. This document hereby grants the libzmq +project team to relicense libzmq, including all past, present and +future contributions of the author listed above. + +Guido Vranken +2019/01/08 + From 731be4bd590cfd7e3c685372c89e4129916f81ae Mon Sep 17 00:00:00 2001 From: Guido Vranken Date: Wed, 9 Jan 2019 12:36:28 +0100 Subject: [PATCH 3/3] Problem: Compilation error due to comparison between signed and unsigned expressions Solution: Cast the signed expression (which is always positive) to unsigned Signed-off-by: Guido Vranken --- src/v2_decoder.cpp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/v2_decoder.cpp b/src/v2_decoder.cpp index 4523d6b0e9..5781d8043e 100644 --- a/src/v2_decoder.cpp +++ b/src/v2_decoder.cpp @@ -115,7 +115,8 @@ int zmq::v2_decoder_t::size_ready (uint64_t msg_size_, shared_message_memory_allocator &allocator = get_allocator (); if (unlikely (!_zero_copy - || msg_size_ > allocator.data () + allocator.size () - read_pos_ )) { + || msg_size_ > + (size_t)(allocator.data () + allocator.size () - read_pos_))) { // a new message has started, but the size would exceed the pre-allocated arena // this happens every time when a message does not fit completely into the buffer rc = _in_progress.init_size (static_cast (msg_size_));