[
https://issues.apache.org/jira/browse/THRIFT-2006?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James E. King, III resolved THRIFT-2006.
----------------------------------------
Resolution: Won't Fix
Fix Version/s: 0.9.3
The code path is inside backwards compatibility (pre-versioned) header reads.
By setting a string size limit in BinaryProtocol before serving, this will
prevent a core. Use setStringSizeLimit in BinaryProtocol to set an upper limit
on string reads. We could be more strict here, for example if someone was able
to tell me what the maximum allowed size of a method call name was, we could
hardcode the limit and prevent this without "optional" behavior. Nobody could
provide this information, so I provided a way to achieve the desired behavior
without any code changes.
> TBinaryProtocol message header call name length is not validated and can be
> used to core the server
> ---------------------------------------------------------------------------------------------------
>
> Key: THRIFT-2006
> URL: https://issues.apache.org/jira/browse/THRIFT-2006
> Project: Thrift
> Issue Type: Bug
> Components: C++ - Library
> Affects Versions: 0.8
> Environment: SUSE linux
> Reporter: leeto
> Assignee: James E. King, III
> Priority: Critical
> Labels: DenialOfService
> Fix For: 0.9.3
>
>
> When use "Nessus" tool scan the server, got below core file:
> Program terminated with signal 11, Segmentation fault.
> #0 0xf6a97d36 in memcpy () from /lib/libc.so.6
> (gdb) bt
> #0 0xf6a97d36 in memcpy () from /lib/libc.so.6
> #1 0x3d5c9c24 in ?? ()
> #2 0xf5c2096e in
> apache::thrift::transport::TVirtualTransport<apache::thrift::transport::TBufferedTransport,
> apache::thrift::transport::TBufferBase>::readAll_virt(unsigned char*,
> unsigned int) () from /var/opt/lib/libloggingsynchronizer.so
> #3 0xf5c20d2c in
> apache::thrift::protocol::TBinaryProtocolT<apache::thrift::transport::TTransport>::readStringBody(std::string&,
> int) ()
> from /var/opt/lib/libloggingsynchronizer.so
> #4 0xf5c2139b in
> apache::thrift::protocol::TBinaryProtocolT<apache::thrift::transport::TTransport>::readMessageBegin(std::string&,
> apache::thrift::protocol::TMessageType&, int&) () from
> /var/opt/lib/libloggingsynchronizer.so
> #5 0xf5c215e2 in
> apache::thrift::protocol::TVirtualProtocol<apache::thrift::protocol::TBinaryProtocolT<apache::thrift::transport::TTransport>,
>
> apache::thrift::protocol::TProtocolDefaults>::readMessageBegin_virt(std::string&,
> apache::thrift::protocol::TMessageType&, int&) ()
> from /var/opt/lib/libloggingsynchronizer.so
> #6 0xf5c182ad in
> Logging::LoggingConfigSynchronizerProcessor::process(boost::shared_ptr<apache::thrift::protocol::TProtocol>,
> boost::shared_ptr<apache::thrift::protocol::TProtocol>, void*) () from
> /var/opt/lib/libloggingsynchronizer.so
> #7 0xed2b0d5b in apache::thrift::server::TSimpleServer::serve
> (this=0xf60eeba0) at src/server/TSimpleServer.cpp:103
> #8 0xf5c1b378 in Logging::Synchronizer::serve() () from
> /var/opt/lib/libloggingsynchronizer.so
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
