[jira] [Commented] (THRIFT-4362) Missing size-check can lead to huge memory allocation

Tue, 24 Oct 2017 00:30:40 -0700 

    [ 
https://issues.apache.org/jira/browse/THRIFT-4362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16216453#comment-16216453
 ] 

ASF GitHub Bot commented on THRIFT-4362:
----------------------------------------

GitHub user ChristianCiach opened a pull request:

    https://github.com/apache/thrift/pull/1398

    THRIFT-4362 check "read length" in readStringBody(int)

    This fixes THRIFT-4362.
    
    If possible, please port this fix to previous versions. 

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/ChristianCiach/thrift THRIFT-4362

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/thrift/pull/1398.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1398
    
----
commit 37dfb6cfda585aec82226f62814eb00ed609c3fe
Author: christianc <christian.ci...@energymeteo.de>
Date:   2017-10-24T07:25:20Z

    THRIFT-4362 check "read length" in readStringBody(int)

----


> Missing size-check can lead to huge memory allocation
> -----------------------------------------------------
>
>                 Key: THRIFT-4362
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4362
>             Project: Thrift
>          Issue Type: Bug
>          Components: Java - Library
>    Affects Versions: 0.9.3, 0.10.0
>            Reporter: Christian Ciach
>            Assignee: James E. King, III
>         Attachments: check-size.patch
>
>
> In some cases the method 
> {{org.apache.thrift.protocol.TBinaryProtocol.readStringBody(int size)}} gets 
> called with a "size" parameter that has not been validated by the existing 
> method {{checkStringReadLength(int size)}}.
> This is true if the method is called by {{readMessageBegin()}} of the same 
> class. The method {{readString()}} checks the size correctly before calling 
> {{readStringBody(int size)}}.
> Since the methods {{readStringBody(int size)}} and {{readMessageBegin()}} are 
> public, there may be other callers who don't check the size correctly.
> We encountered this issue in production several times. Because of this we are 
> currently using our own patched version of libthrift-0.9.3. The patch is 
> attached, but it is surely not the best solution, because with this patch the 
> size may be checked twice, depending on the caller.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to