Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Duplicate
-
0.7, 0.8
-
None
-
Linux
Description
In Thrift source code there is a file lib/c_glib/src/transport/thrift_socket.c. In this file there is a function thrift_socket_read():
------------------------------------------------------
...
/* implements thrift_transport_read */
gint32
thrift_socket_read (ThriftTransport *transport, gpointer buf,
guint32 len, GError **error)
{
gint ret = 0;
guint got = 0;
ThriftSocket *socket = THRIFT_SOCKET (transport);
while (got < len)
{
ret = recv (socket->sd, buf, len, 0); <====== In each while-loop iteration data are written from the beginning of buffer. Previously collected data are overwritten. This eventually leads to a corrupted frame in Thrift framed ransport and causes crash. To fix, replace 'buf' with 'buf + got', 'len' with 'len-got'.
if (ret < 0)
{ g_set_error (error, THRIFT_TRANSPORT_ERROR, THRIFT_TRANSPORT_ERROR_RECEIVE, "failed to read %d bytes - %s", len, strerror(errno)); return -1; } got += ret;
}
return got;
}
...
------------------------------------------------------
At time of writing this bug is in Thrift 0.7, 0.8 and in trunk.
Attachments
Issue Links
- duplicates
-
THRIFT-1414 bufferoverflow in c_glib buffered transport/socket client
- Closed