You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@thrift.apache.org by "Devesh Parekh (JIRA)" <ji...@apache.org> on 2012/07/06 03:46:33 UTC
[jira] [Created] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Devesh Parekh created THRIFT-1643:
-------------------------------------
Summary: Denial of Service attack in TBinaryProtocol.readString
Key: THRIFT-1643
URL: https://issues.apache.org/jira/browse/THRIFT-1643
Project: Thrift
Issue Type: Bug
Components: Java - Library
Affects Versions: 0.8, 0.6.1
Environment: All
Reporter: Devesh Parekh
Priority: Critical
Attachments: Attack.java, Foo.thrift
In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Niraj Tolia (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Niraj Tolia updated THRIFT-1643:
--------------------------------
Attachment: 0002-Add-test-for-TBinaryProtocol-OOM-Denial-of-Service.patch
0001-Add-test-for-TCompactProtocol-OOM-Denial-of-Service.patch
Here is a test case for TCompactProtocol.
Turns out that TBinaryProtocol was already protected by something similar to my previous patch and does not need any modification. I have also included a test case for TBinaryProtocol based on the Attack.java test included by the Devesh, the original filer.
That said, would you like me to add a new patch for TCompactProtocol that, like https://svn.apache.org/viewvc?view=revision&revision=1383515, also throws TProtocolException instead of TException?
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Assignee: Roger Meier
> Priority: Critical
> Labels: security
> Attachments: 0001-Address-denial-of-service-in-TCompactProtocol.patch, 0001-Add-test-for-TCompactProtocol-OOM-Denial-of-Service.patch, 0002-Add-test-for-TBinaryProtocol-OOM-Denial-of-Service.patch, Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Niraj Tolia (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Niraj Tolia updated THRIFT-1643:
--------------------------------
Attachment: 0001-Address-denial-of-service-in-TCompactProtocol.patch
Would a patch like the one attached be acceptable? Note that apart from a private hacked-up test, this patch hasn't really been put through its paces. However, all current unit tests pass. Would be happy to add more tests if this or something similar would be accepted.
As I could not see any easy way of making it backwards compatible with arbitrary applications, this would involve callers that care about the Denial-of-Service problem to change how they construct the protocol factories.
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Priority: Critical
> Labels: security
> Attachments: 0001-Address-denial-of-service-in-TCompactProtocol.patch, Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13472922#comment-13472922 ]
Hudson commented on THRIFT-1643:
--------------------------------
Integrated in Thrift #560 (See [https://builds.apache.org/job/Thrift/560/])
THRIFT-1643 Denial of Service attack in TBinaryProtocol.readString
Patch: Niraj Tolia
Fix: add TCompactProtocol maxNetworkBytes (Revision 1396186)
Result = ABORTED
roger : http://svn.apache.org/viewvc/?view=rev&rev=1396186
Files :
* /thrift/trunk/lib/java/src/org/apache/thrift/protocol/TCompactProtocol.java
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Assignee: Roger Meier
> Priority: Critical
> Labels: security
> Attachments: 0001-Address-denial-of-service-in-TCompactProtocol.patch, 0001-Add-test-for-TCompactProtocol-OOM-Denial-of-Service.patch, 0002-Add-test-for-TBinaryProtocol-OOM-Denial-of-Service.patch, 0003-Cleanup-length-checks-in-TCompactProtocol.patch, Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Closed] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Jake Farrell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jake Farrell closed THRIFT-1643.
--------------------------------
Resolution: Fixed
Fix Version/s: 0.9
Assignee: Niraj Tolia (was: Jake Farrell)
Committed to trunk and 0.9 branch pre-rc
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Assignee: Niraj Tolia
> Priority: Critical
> Labels: security
> Fix For: 0.9
>
> Attachments: 0001-Address-denial-of-service-in-TCompactProtocol.patch, 0001-Add-test-for-TCompactProtocol-OOM-Denial-of-Service.patch, 0002-Add-test-for-TBinaryProtocol-OOM-Denial-of-Service.patch, 0003-Cleanup-length-checks-in-TCompactProtocol.patch, Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Hudson (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13474836#comment-13474836 ]
Hudson commented on THRIFT-1643:
--------------------------------
Integrated in Thrift #563 (See [https://builds.apache.org/job/Thrift/563/])
THRIFT-1643:Denial of Service attack in TBinaryProtocol.readString
Client: java
Patch: Niraj Tolia
In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap. (Revision 1397397)
Result = ABORTED
jfarrell : http://svn.apache.org/viewvc/?view=rev&rev=1397397
Files :
* /thrift/trunk/lib/java/src/org/apache/thrift/protocol/TCompactProtocol.java
* /thrift/trunk/lib/java/test/org/apache/thrift/protocol/TestTBinaryProtocol.java
* /thrift/trunk/lib/java/test/org/apache/thrift/protocol/TestTCompactProtocol.java
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Assignee: Niraj Tolia
> Priority: Critical
> Labels: security
> Fix For: 0.9
>
> Attachments: 0001-Address-denial-of-service-in-TCompactProtocol.patch, 0001-Add-test-for-TCompactProtocol-OOM-Denial-of-Service.patch, 0002-Add-test-for-TBinaryProtocol-OOM-Denial-of-Service.patch, 0003-Cleanup-length-checks-in-TCompactProtocol.patch, Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Devesh Parekh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Devesh Parekh updated THRIFT-1643:
----------------------------------
Attachment: Attack.java
Foo.thrift
Demonstration of the attack.
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Priority: Critical
> Labels: security
> Attachments: Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Roger Meier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13473841#comment-13473841 ]
Roger Meier commented on THRIFT-1643:
-------------------------------------
Sorry, I was too busy to look on it.
However I reviewed the new patches with the test and they are ready to commit.
I did not commit because Jake is preparing a release and he already made a branch for 0.9.x.
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Assignee: Roger Meier
> Priority: Critical
> Labels: security
> Attachments: 0001-Address-denial-of-service-in-TCompactProtocol.patch, 0001-Add-test-for-TCompactProtocol-OOM-Denial-of-Service.patch, 0002-Add-test-for-TBinaryProtocol-OOM-Denial-of-Service.patch, 0003-Cleanup-length-checks-in-TCompactProtocol.patch, Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Niraj Tolia (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13472704#comment-13472704 ]
Niraj Tolia commented on THRIFT-1643:
-------------------------------------
Will submit a TCompactProtocol test case for review soon. I will also look at the TBinaryProtocol code right after that and, assuming the solution is similar, will submit a fix for that too.
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Assignee: Roger Meier
> Priority: Critical
> Labels: security
> Attachments: 0001-Address-denial-of-service-in-TCompactProtocol.patch, Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Roger Meier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13471312#comment-13471312 ]
Roger Meier commented on THRIFT-1643:
-------------------------------------
do you have a patch or/and a test case?
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Priority: Critical
> Labels: security
> Attachments: Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Niraj Tolia (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13472077#comment-13472077 ]
Niraj Tolia commented on THRIFT-1643:
-------------------------------------
Doesn't this also impact TCompactProtocol.readString() because it uses readBinary() which does a "new byte[length]"? In this case, length is derived from readVarint32().
{code:java}
private byte[] readBinary(int length) throws TException {
if (length == 0) return new byte[0];
byte[] buf = new byte[length];
trans_.readAll(buf, 0, length);
return buf;
}
{code}
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Priority: Critical
> Labels: security
> Attachments: Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Devesh Parekh (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13472043#comment-13472043 ]
Devesh Parekh commented on THRIFT-1643:
---------------------------------------
The two attached files demonstrate the attack. Unfortunately, I've stopped using Thrift, so writing a patch and a unit test won't be a good use of my time.
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Priority: Critical
> Labels: security
> Attachments: Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Jake Farrell (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jake Farrell reassigned THRIFT-1643:
------------------------------------
Assignee: Jake Farrell (was: Roger Meier)
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Assignee: Jake Farrell
> Priority: Critical
> Labels: security
> Attachments: 0001-Address-denial-of-service-in-TCompactProtocol.patch, 0001-Add-test-for-TCompactProtocol-OOM-Denial-of-Service.patch, 0002-Add-test-for-TBinaryProtocol-OOM-Denial-of-Service.patch, 0003-Cleanup-length-checks-in-TCompactProtocol.patch, Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Assigned] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Roger Meier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Roger Meier reassigned THRIFT-1643:
-----------------------------------
Assignee: Roger Meier
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Assignee: Roger Meier
> Priority: Critical
> Labels: security
> Attachments: 0001-Address-denial-of-service-in-TCompactProtocol.patch, Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Roger Meier (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13472622#comment-13472622 ]
Roger Meier commented on THRIFT-1643:
-------------------------------------
Thanks,
committed!
a test case and binaryprotocol fix would be great;-)
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Assignee: Roger Meier
> Priority: Critical
> Labels: security
> Attachments: 0001-Address-denial-of-service-in-TCompactProtocol.patch, Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (THRIFT-1643) Denial of Service attack in
TBinaryProtocol.readString
Posted by "Niraj Tolia (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/THRIFT-1643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Niraj Tolia updated THRIFT-1643:
--------------------------------
Attachment: 0003-Cleanup-length-checks-in-TCompactProtocol.patch
Cleanup patch for TCompactProtocol attached to bring it closer to TBinaryProtocol. Also adds some additional checks. Will apply cleanly on top of the unit test patches.
> Denial of Service attack in TBinaryProtocol.readString
> ------------------------------------------------------
>
> Key: THRIFT-1643
> URL: https://issues.apache.org/jira/browse/THRIFT-1643
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.6.1, 0.8
> Environment: All
> Reporter: Devesh Parekh
> Assignee: Roger Meier
> Priority: Critical
> Labels: security
> Attachments: 0001-Address-denial-of-service-in-TCompactProtocol.patch, 0001-Add-test-for-TCompactProtocol-OOM-Denial-of-Service.patch, 0002-Add-test-for-TBinaryProtocol-OOM-Denial-of-Service.patch, 0003-Cleanup-length-checks-in-TCompactProtocol.patch, Attack.java, Foo.thrift
>
> Original Estimate: 24h
> Remaining Estimate: 24h
>
> In readString, if the string field's size is greater than the number of bytes remaining in the byte array to deserialize, libthrift will happily allocate a byte array of that size in readStringBody, filling the heap.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira