Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-2272

CLONE - Denial of Service attack in TBinaryProtocol.readString

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Incomplete
    • 0.6.1, 0.8
    • 0.9
    • Java - Library

    • All

    Description

      In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.

      Attachments

        1. Foo.thrift
          0.0 kB
          Valentin Mayamsin
        2. Attack.java
          0.3 kB
          Valentin Mayamsin
        3. 0003-Cleanup-length-checks-in-TCompactProtocol.patch
          2 kB
          Valentin Mayamsin
        4. 0002-Add-test-for-TBinaryProtocol-OOM-Denial-of-Service.patch
          2 kB
          Valentin Mayamsin
        5. 0001-Add-test-for-TCompactProtocol-OOM-Denial-of-Service.patch
          2 kB
          Valentin Mayamsin
        6. 0001-Address-denial-of-service-in-TCompactProtocol.patch
          3 kB
          Valentin Mayamsin

        Issue Links

        is a clone of

        Bug - A problem which impairs or prevents the functions of the product. THRIFT-1643 Denial of Service attack in TBinaryProtocol.readString

        • Critical - Crashes, loss of data, severe memory leak.
        • Closed

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            ntolia Niraj Tolia
            yavalek Valentin Mayamsin
            Votes:
            2 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - 24h
                24h
                Remaining:
                Remaining Estimate - 24h
                24h
                Logged:
                Time Spent - Not Specified
                Not Specified

                Slack

                  Issue deployment