[
https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Niraj Tolia updated THRIFT-1643:
--------------------------------
Attachment: 0001-Address-denial-of-service-in-TCompactProtocol.patch
Would a patch like the one attached be acceptable? Note that apart from a
private hacked-up test, this patch hasn't really been put through its paces.
However, all current unit tests pass. Would be happy to add more tests if this
or something similar would be accepted.
As I could not see any easy way of making it backwards compatible with
arbitrary applications, this would involve callers that care about the
Denial-of-Service problem to change how they construct the protocol factories.
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Priority: Critical
> Labels: security
> Attachments:
> 0001-Address-denial-of-service-in-TCompactProtocol.patch, Attack.java,
> Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes
> remaining in the byte array to deserialize, libthrift will happily allocate a
> byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
