[ 
https://issues.apache.org/jira/browse/THRIFT-4362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Christian Ciach updated THRIFT-4362:
------------------------------------
    Description: 
In some cases the method 
{{org.apache.thrift.protocol.TBinaryProtocol.readStringBody(int size)}} gets 
called with a "size" parameter that has not been validated by the existing 
method {{checkStringReadLength(int size)}}.

This is true if the method is called by {{readMessageBegin()}} of the same 
class. The method {{readString()}} checks the size correctly before calling 
{{readStringBody(int size)}}.

Since the methods {{readStringBody(int size)}} and {{readMessageBegin()}} are 
public, there may be other callers who don't check the size correctly.

We encountered this issue in production several times. Because of this we are 
currently using our own patched version of libthrift-0.9.3. The patch is 
attached, but it is surely not the best solution, because with this patch the 
size may be checked twice, depending on the caller.

  was:
In some cases the method 
{{org.apache.thrift.protocol.TBinaryProtocol.readStringBody(int size)}} gets 
called with a "size" parameter that has not been validated by the existing 
method {{checkStringReadLength(int size)}}.

This is true if the method is called by {{readMessageBegin()}} of the same 
class. The method {{readString()}} checks the size correctly before calling 
{{readStringBody(int size)}}.

Since the readMessageBegin-method is public, there may be other callers who 
don't check the size before calling this method.

We encountered this issue in production several times. Because of this we are 
currently using our own patched version of libthrift-0.9.3. The patch is 
attached, but it is surely not the best solution, because with this patch the 
size may be checked twice, depending on the caller.


> Missing size-check can lead to huge memory allocation
> -----------------------------------------------------
>
>                 Key: THRIFT-4362
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4362
>             Project: Thrift
>          Issue Type: Bug
>          Components: Java - Library
>    Affects Versions: 0.9.3, 0.10.0
>            Reporter: Christian Ciach
>         Attachments: check-size.patch
>
>
> In some cases the method 
> {{org.apache.thrift.protocol.TBinaryProtocol.readStringBody(int size)}} gets 
> called with a "size" parameter that has not been validated by the existing 
> method {{checkStringReadLength(int size)}}.
> This is true if the method is called by {{readMessageBegin()}} of the same 
> class. The method {{readString()}} checks the size correctly before calling 
> {{readStringBody(int size)}}.
> Since the methods {{readStringBody(int size)}} and {{readMessageBegin()}} are 
> public, there may be other callers who don't check the size correctly.
> We encountered this issue in production several times. Because of this we are 
> currently using our own patched version of libthrift-0.9.3. The patch is 
> attached, but it is surely not the best solution, because with this patch the 
> size may be checked twice, depending on the caller.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to