[ https://issues.apache.org/jira/browse/THRIFT-2660?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14099972#comment-14099972 ]
Roger Meier commented on THRIFT-2660: ------------------------------------- Yes, why not. [~jfarrell] what do you think? > Validate the bytes received in TSaslTransport > --------------------------------------------- > > Key: THRIFT-2660 > URL: https://issues.apache.org/jira/browse/THRIFT-2660 > Project: Thrift > Issue Type: Bug > Components: Java - Library > Affects Versions: 0.9 > Reporter: Harsh J > Assignee: Roger Meier > Attachments: THRIFT-2660.patch, THRIFT-2660.patch > > > In TSaslTransport#receiveSaslMessage, we are doing two things incorrectly: > - Not validating the status byte code. > - Not validating the decoded payload size integer before allocating a whole > array with it. > The latter especially is bad when a network security software sends a thrift > server port some garbage data, causing it to receive failures like: > {code} > java.lang.OutOfMemoryError: Java heap space > at > org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:181) > at > org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253) > {code} > Or even, > {code} > ERROR org.apache.thrift.server.TThreadPoolServer: Error occurred during > processing of message. > java.lang.NegativeArraySizeException > at > org.apache.thrift.transport.TSaslTransport.receiveSaslMessage(TSaslTransport.java:181) > at > org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:125) > at > org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:253) > {code} -- This message was sent by Atlassian JIRA (v6.2#6252)