[ https://issues.apache.org/jira/browse/THRIFT-4362?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16216453#comment-16216453 ]
ASF GitHub Bot commented on THRIFT-4362: ---------------------------------------- GitHub user ChristianCiach opened a pull request: https://github.com/apache/thrift/pull/1398 THRIFT-4362 check "read length" in readStringBody(int) This fixes THRIFT-4362. If possible, please port this fix to previous versions. You can merge this pull request into a Git repository by running: $ git pull https://github.com/ChristianCiach/thrift THRIFT-4362 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/thrift/pull/1398.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #1398 ---- commit 37dfb6cfda585aec82226f62814eb00ed609c3fe Author: christianc <christian.ci...@energymeteo.de> Date: 2017-10-24T07:25:20Z THRIFT-4362 check "read length" in readStringBody(int) ---- > Missing size-check can lead to huge memory allocation > ----------------------------------------------------- > > Key: THRIFT-4362 > URL: https://issues.apache.org/jira/browse/THRIFT-4362 > Project: Thrift > Issue Type: Bug > Components: Java - Library > Affects Versions: 0.9.3, 0.10.0 > Reporter: Christian Ciach > Assignee: James E. King, III > Attachments: check-size.patch > > > In some cases the method > {{org.apache.thrift.protocol.TBinaryProtocol.readStringBody(int size)}} gets > called with a "size" parameter that has not been validated by the existing > method {{checkStringReadLength(int size)}}. > This is true if the method is called by {{readMessageBegin()}} of the same > class. The method {{readString()}} checks the size correctly before calling > {{readStringBody(int size)}}. > Since the methods {{readStringBody(int size)}} and {{readMessageBegin()}} are > public, there may be other callers who don't check the size correctly. > We encountered this issue in production several times. Because of this we are > currently using our own patched version of libthrift-0.9.3. The patch is > attached, but it is surely not the best solution, because with this patch the > size may be checked twice, depending on the caller. -- This message was sent by Atlassian JIRA (v6.4.14#64029)