Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-4362

Missing size-check can lead to huge memory allocation

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.9.3, 0.10.0
    • Fix Version/s: 0.11.0
    • Component/s: Java - Library
    • Labels:
      None
    • Patch Info:
      Patch Available
    • Flags:
      Patch

      Description

      In some cases the method org.apache.thrift.protocol.TBinaryProtocol.readStringBody(int size) gets called with a "size" parameter that has not been validated by the existing method checkStringReadLength(int size).

      This is true if the method is called by readMessageBegin() of the same class. The method readString() checks the size correctly before calling readStringBody(int size).

      Since the methods readStringBody(int size) and readMessageBegin() are public, there may be other callers who don't check the size correctly.

      We encountered this issue in production several times. Because of this we are currently using our own patched version of libthrift-0.9.3. The patch is attached, but it is surely not the best solution, because with this patch the size may be checked twice, depending on the caller.

        Attachments

        1. check-size.patch
          0.7 kB
          Christian Ciach

          Issue Links

            Activity

              People

              • Assignee:
                jking3 James E. King III
                Reporter:
                ChristianCiach Christian Ciach
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: