[ https://issues.apache.org/jira/browse/THRIFT-3978?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James E. King, III updated THRIFT-3978: --------------------------------------- Description: Currently there is widespread use of assert in the thrift C++ runtime library. Some of the more disturbing cases are security related, for example checking header sizes. I recommend we eliminate assertions that are only checked in debug mode, and instead throw the appropriate exception, usually a TTransportException with CORRUPTED_DATA as the reason. If we're going to check for an overflow or a buffer overrun, we should do so in debug and release modes. Further, assertions are not easily tested whereas exceptions are. In THRIFT-3873 apache::thrift::transport::safe_numeric_cast was added, so I also suggest changing static_cast to safe_numeric_cast where appropriate throughout the transport code to catch any overflow errors. was:Currently there is widespread use of assert in the thrift C++ runtime library. Some of the more disturbing cases are security related, for example checking header sizes. I recommend we eliminate assertions that are only checked in debug mode, and instead throw the appropriate exception, usually a TTransportException with CORRUPTED_DATA as the reason. If we're going to check for an overflow or a buffer overrun, we should do so in debug and release modes. Further, assertions are not easily tested whereas exceptions are. > Thrift C++ runtime uses assert to prevent overflows, checks sanity only in > debug builds > --------------------------------------------------------------------------------------- > > Key: THRIFT-3978 > URL: https://issues.apache.org/jira/browse/THRIFT-3978 > Project: Thrift > Issue Type: Bug > Components: C++ - Library > Affects Versions: 0.10.0 > Environment: All > Reporter: James E. King, III > Assignee: James E. King, III > Labels: security > > Currently there is widespread use of assert in the thrift C++ runtime > library. Some of the more disturbing cases are security related, for example > checking header sizes. I recommend we eliminate assertions that are only > checked in debug mode, and instead throw the appropriate exception, usually a > TTransportException with CORRUPTED_DATA as the reason. If we're going to > check for an overflow or a buffer overrun, we should do so in debug and > release modes. Further, assertions are not easily tested whereas exceptions > are. > In THRIFT-3873 apache::thrift::transport::safe_numeric_cast was added, so I > also suggest changing static_cast to safe_numeric_cast where appropriate > throughout the transport code to catch any overflow errors. -- This message was sent by Atlassian JIRA (v6.3.4#6332)