[ https://issues.apache.org/jira/browse/THRIFT-4362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Christian Ciach updated THRIFT-4362: ------------------------------------ Description: In some cases the method {{org.apache.thrift.protocol.TBinaryProtocol.readStringBody(int size)}} gets called with a "size" parameter that has not been validated by the existing method {{checkStringReadLength(int size)}}. This is true if the method is called by {{readMessageBegin()}} of the same class. The method {{readString()}} checks the size correctly before calling {{readStringBody(int size)}}. Since the methods {{readStringBody(int size)}} and {{readMessageBegin()}} are public, there may be other callers who don't check the size correctly. We encountered this issue in production several times. Because of this we are currently using our own patched version of libthrift-0.9.3. The patch is attached, but it is surely not the best solution, because with this patch the size may be checked twice, depending on the caller. was: In some cases the method {{org.apache.thrift.protocol.TBinaryProtocol.readStringBody(int size)}} gets called with a "size" parameter that has not been validated by the existing method {{checkStringReadLength(int size)}}. This is true if the method is called by {{readMessageBegin()}} of the same class. The method {{readString()}} checks the size correctly before calling {{readStringBody(int size)}}. Since the readMessageBegin-method is public, there may be other callers who don't check the size before calling this method. We encountered this issue in production several times. Because of this we are currently using our own patched version of libthrift-0.9.3. The patch is attached, but it is surely not the best solution, because with this patch the size may be checked twice, depending on the caller. > Missing size-check can lead to huge memory allocation > ----------------------------------------------------- > > Key: THRIFT-4362 > URL: https://issues.apache.org/jira/browse/THRIFT-4362 > Project: Thrift > Issue Type: Bug > Components: Java - Library > Affects Versions: 0.9.3, 0.10.0 > Reporter: Christian Ciach > Attachments: check-size.patch > > > In some cases the method > {{org.apache.thrift.protocol.TBinaryProtocol.readStringBody(int size)}} gets > called with a "size" parameter that has not been validated by the existing > method {{checkStringReadLength(int size)}}. > This is true if the method is called by {{readMessageBegin()}} of the same > class. The method {{readString()}} checks the size correctly before calling > {{readStringBody(int size)}}. > Since the methods {{readStringBody(int size)}} and {{readMessageBegin()}} are > public, there may be other callers who don't check the size correctly. > We encountered this issue in production several times. Because of this we are > currently using our own patched version of libthrift-0.9.3. The patch is > attached, but it is surely not the best solution, because with this patch the > size may be checked twice, depending on the caller. -- This message was sent by Atlassian JIRA (v6.4.14#64029)