Fix denial-of-service in Message::gets

cite-reader · rotty · commit 3606a3efc6fc · 2019-09-21T12:01:33.000+02:00
`Message::gets` now returns None on invalid UTF-8 instead of panicking.

The doc for zmq_msg_gets says that "both the property argument and the
value shall be NULL-terminated UTF8-strings", but in practice libzmq
neither confirms nor enforces this. A buggy or malicious peer can send
arbitrary binary garbage, which will be faithfully returned verbatim
from zmq_msg_gets. Converting the Result from str::from_utf8 to an
Option via .ok() instead of unwrapping saves us from a crash without a
client-breaking type change.
diff --git a/src/message.rs b/src/message.rs
@@ -124,7 +124,10 @@ impl Message {
         if value.is_null() {
             None
         } else {
-            Some(unsafe { str::from_utf8(ffi::CStr::from_ptr(value).to_bytes()).unwrap() })
+            // Note: libzmq` does not do UTF-8 validation, even though its doc
+            // suggest that UTF-8 "shall" be used here. Maybe we should changge
+            // the API to return a bytes slice.
+            str::from_utf8(unsafe { ffi::CStr::from_ptr(value) }.to_bytes()).ok()
         }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -124,7 +124,10 @@ impl Message {`
`124`	`124`	`if value.is_null() {`
`125`	`125`	`None`
`126`	`126`	`} else {`
`127`		`- Some(unsafe { str::from_utf8(ffi::CStr::from_ptr(value).to_bytes()).unwrap() })`
	`127`	+ // Note: libzmq` does not do UTF-8 validation, even though its doc
	`128`	`+ // suggest that UTF-8 "shall" be used here. Maybe we should changge`
	`129`	`+ // the API to return a bytes slice.`
	`130`	`+ str::from_utf8(unsafe { ffi::CStr::from_ptr(value) }.to_bytes()).ok()`
`128`	`131`	`}`
`129`	`132`	`}`
`130`	`133`	`}`