Christian Ciach created THRIFT-4362: ---------------------------------------
Summary: Missing size-check can lead to huge memory allocation Key: THRIFT-4362 URL: https://issues.apache.org/jira/browse/THRIFT-4362 Project: Thrift Issue Type: Bug Components: Java - Library Affects Versions: 0.10.0, 0.9.3 Reporter: Christian Ciach In some cases the method {{monospaced}}org.apache.thrift.protocol.TBinaryProtocol.readStringBody(int size){{monospaced}} gets called with a "size" parameter that has not been validated by the existing method {{monospaced}}checkStringReadLength(int size){{monospaced}}. This is true if the method is called by {{monospaced}}readMessageBegin(){{monospaced}} of the same class. The method {{monospaced}}readString(){{monospaced}} checks the size correctly before calling {{monospaced}}readStringBody(int size){{monospaced}}. Since the readStringBody-method is public, there may be other callers who don't check the size before calling this method. We encountered this issue in production several times. Because of this we are currently using our own patched version of libthrift-0.9.3. The patch is attached, but it is surely not the best solution, because with this patch the size may be checked twice, depending on the caller. -- This message was sent by Atlassian JIRA (v6.4.14#64029)