[
https://issues.apache.org/jira/browse/THRIFT-4024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15815392#comment-15815392
]
Michael Antipin edited comment on THRIFT-4024 at 1/10/17 4:19 PM:
------------------------------------------------------------------
I've got bad binary data from server, complete gibberish. While this should not
generally happen, _I may receive such data_ in my project (it has to do with
breaking changes in data encryption). I have no way of knowing if it's Ok until
I try to deserialize. But anyway, that definitely should not be dangerous.
I try to deserialize a binary, *that is not even a thrift*. Thrift library
skips unknown bullshit until it occasionally finds what looks like a list (it's
not, really). Just a coincidence. Its element type happens to be not of TType
an its length is some number (pretty big in my case, but could be anything). It
then tries to skip that list, which takes forever.
was (Author: aurora12):
I've got bad binary data from server, complete gibberish. While this should not
generally happen, _I may receive such data_ in my project (it has to do with
breaking changes in data encryption). I have no way of knowing if it's Ok until
I try to deserialize. But anyway, that should not be dangerous, really.
I try to deserialize a binary, *that is not even a thrift*. Thrift library
skips unknown bullshit until it occasionally finds what looks like a list (it's
not, really). Just a coincidence. Its element type happens to be not of TType
an its length is some number (pretty big in my case, but could be anything). It
then tries to skip that list, which takes forever.
> C# deserialization takes unnecessary time on list with unknown type of
> elements
> -------------------------------------------------------------------------------
>
> Key: THRIFT-4024
> URL: https://issues.apache.org/jira/browse/THRIFT-4024
> Project: Thrift
> Issue Type: Bug
> Components: C# - Library
> Affects Versions: 0.10.0
> Reporter: Michael Antipin
> Assignee: Jens Geyer
>
> I'm using TBinaryProtocol and a simple transport that reads from a given byte
> array.
> C# library contains the following code in TProtocolUtil.Skip(TProtocol prot,
> TType type):
> {code}
> case TType.List:
> TList list = prot.ReadListBegin();
> for (int i = 0; i < list.Count; i++) {
> Skip(prot, list.ElementType);
> }
> prot.ReadListEnd();
> break;
> {code}
> The type of elements is detected in ReadListBegin(), and, as Skip() does
> nothing for unknown types, the position in the binary remains the same until
> the for loop completes.
> So, when you try to deserialize invalid data, and a field type happens to be
> detected as TType.List, you may end up waiting for a random period of time
> until deserialization is completed (734707176 iterations of skipping in my
> case).
> I suggest throwing an exception immediately when list elements type is
> unknown. May be, it would be good to have a setting like *FailOnUnknownType*,
> so that Skip() will throw instead of ignoring.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
