Uploaded image for project: 'Thrift'
  1. Thrift
  2. THRIFT-4362

Missing size-check can lead to huge memory allocation

VotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 0.9.3, 0.10.0
    • 0.11.0
    • Java - Library
    • None
    • Patch Available
    • Patch

    Description

      In some cases the method org.apache.thrift.protocol.TBinaryProtocol.readStringBody(int size) gets called with a "size" parameter that has not been validated by the existing method checkStringReadLength(int size).

      This is true if the method is called by readMessageBegin() of the same class. The method readString() checks the size correctly before calling readStringBody(int size).

      Since the methods readStringBody(int size) and readMessageBegin() are public, there may be other callers who don't check the size correctly.

      We encountered this issue in production several times. Because of this we are currently using our own patched version of libthrift-0.9.3. The patch is attached, but it is surely not the best solution, because with this patch the size may be checked twice, depending on the caller.

      Attachments

        1. check-size.patch
          0.7 kB
          Christian Ciach

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            jking3 James E. King III
            ChristianCiach Christian Ciach
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment