Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-2272

CLONE - Denial of Service attack in TBinaryProtocol.readString

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Incomplete
    • 0.6.1, 0.8
    • 0.9
    • Java - Library
    • All

    Description

      In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.

      Attachments

        1. 0001-Address-denial-of-service-in-TCompactProtocol.patch
          3 kB
          Valentin Mayamsin
        2. 0001-Add-test-for-TCompactProtocol-OOM-Denial-of-Service.patch
          2 kB
          Valentin Mayamsin
        3. 0002-Add-test-for-TBinaryProtocol-OOM-Denial-of-Service.patch
          2 kB
          Valentin Mayamsin
        4. 0003-Cleanup-length-checks-in-TCompactProtocol.patch
          2 kB
          Valentin Mayamsin
        5. Attack.java
          0.3 kB
          Valentin Mayamsin
        6. Foo.thrift
          0.0 kB
          Valentin Mayamsin

        Issue Links

          Activity

            People

              ntolia Niraj Tolia
              yavalek Valentin Mayamsin
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - 24h
                  24h
                  Remaining:
                  Remaining Estimate - 24h
                  24h
                  Logged:
                  Time Spent - Not Specified
                  Not Specified