You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@thrift.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/04/01 15:00:43 UTC

[jira] [Commented] (THRIFT-3978) Thrift C++ runtime uses assert to prevent overflows, checks sanity only in debug builds

    [ https://issues.apache.org/jira/browse/THRIFT-3978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15952261#comment-15952261 ] 

ASF GitHub Bot commented on THRIFT-3978:
----------------------------------------

Github user jeking3 commented on the issue:

    https://github.com/apache/thrift/pull/1228
  
    For anybody interested in reviewing this pull request, I pretty much followed the logic that boost::mutex is using with one exception.  In cases where boost ignores an error condition to avoid throwing in a destructor, I have instead preferred to abort the process.  My thought process on this is that should mutex destruction return EBUSY or EINVAL, it is a design flaw in the implementation using the Mutex class.  EBUSY means we tried to delete the mutex while it was locked.  EINVAL means it may have been destroyed twice.  In either case, getting a core is way more useful than silently letting the issue pass by in a release build.


> Thrift C++ runtime uses assert to prevent overflows, checks sanity only in debug builds
> ---------------------------------------------------------------------------------------
>
>                 Key: THRIFT-3978
>                 URL: https://issues.apache.org/jira/browse/THRIFT-3978
>             Project: Thrift
>          Issue Type: Bug
>          Components: C++ - Library
>    Affects Versions: 0.10.0
>         Environment: All
>            Reporter: James E. King, III
>            Assignee: James E. King, III
>              Labels: security
>
> Currently there is widespread use of assert in the thrift C++ runtime library.  Some of the more disturbing cases are security related, for example checking header sizes.  I recommend we eliminate assertions that are only checked in debug mode, and instead throw the appropriate exception, usually a TTransportException with CORRUPTED_DATA as the reason.  If we're going to check for an overflow or a buffer overrun, we should do so in debug and release modes.  Further, assertions are not easily tested whereas exceptions are.
> In THRIFT-3873 apache::thrift::transport::safe_numeric_cast was added, so I also suggest changing static_cast to safe_numeric_cast where appropriate throughout the transport code to catch any overflow errors.
> Another location where assert is used liberally is inside the posix Mutex implementation.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)