I'm afraid I don't have the expertise or time to submit a formal Git pull request and test cases, but I feel it's important for the Thrift community to be aware of a serious Denial of Service (DOS) attack vulnerability involving TBinaryProtocol.
A commercial port scanner application crashed all C++ Thrift server processes we had listening for TBinaryProcol connections. Investigation showed it was due to an assert verifying the initial packet length. Crashing the server was as easy as sending an initial 4 bytes of zeroes after the client opens the socket. I'm attaching a "TBinaryProtocolKiller.py" script that will kill all C++ ThriftBinaryProtocol servers on an arbitrary IPv4 address within a provided port range. The script can be used to verify the fix. This problem does not occur in the Python BinaryProtocol server; I don't know about other languages. The problem is present in 0.10.0 and 0.11.0, and I don't know about earlier releases.
My recommended patch is to simply change the assert to a regular error check, as shown below.