Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-4362

Missing size-check can lead to huge memory allocation

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 0.9.3, 0.10.0
    • 0.11.0
    • Java - Library
    • None
    • Patch Available
    • Patch

    Description

      In some cases the method org.apache.thrift.protocol.TBinaryProtocol.readStringBody(int size) gets called with a "size" parameter that has not been validated by the existing method checkStringReadLength(int size).

      This is true if the method is called by readMessageBegin() of the same class. The method readString() checks the size correctly before calling readStringBody(int size).

      Since the methods readStringBody(int size) and readMessageBegin() are public, there may be other callers who don't check the size correctly.

      We encountered this issue in production several times. Because of this we are currently using our own patched version of libthrift-0.9.3. The patch is attached, but it is surely not the best solution, because with this patch the size may be checked twice, depending on the caller.

      Attachments

        1. check-size.patch
          0.7 kB
          Christian Ciach

        Issue Links

          Activity

            People

              jking3 James E. King III
              ChristianCiach Christian Ciach
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: