You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@thrift.apache.org by "Duru Can Celasun (Jira)" <ji...@apache.org> on 2020/12/10 14:00:00 UTC

[jira] [Commented] (THRIFT-5322) Go compact_protocol allocating unreasonable buffer size

    [ https://issues.apache.org/jira/browse/THRIFT-5322?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17247254#comment-17247254 ] 

Duru Can Celasun commented on THRIFT-5322:
------------------------------------------

Buffer size limits have been implemented [1] for a number of languages in the aftermath of CVE-2019-11939 [2] but nobody has done so for Go yet. PRs are very welcome.


[1] Java example: https://github.com/apache/thrift/pull/2191


[2] https://nvd.nist.gov/vuln/detail/CVE-2019-11939

> Go compact_protocol allocating unreasonable buffer size
> -------------------------------------------------------
>
>                 Key: THRIFT-5322
>                 URL: https://issues.apache.org/jira/browse/THRIFT-5322
>             Project: Thrift
>          Issue Type: Bug
>          Components: Go - Library
>    Affects Versions: 0.13.0
>            Reporter: Juraci Paixão Kröhling
>            Priority: Major
>
> I don't yet know all the pieces to this puzzle, and it's quite possible that the problem is on our side, but we use the Thrift Go library in the Jaeger Agent and we are seeing a case where the memory consumption for a payload of 4k bytes to result in a buffer allocation in the compact_protocol.go with unreasonable sizes. I found buffers of 1.4GiB while debugging the issue.
>  
> This is the code that we are seeing this memory usage:
> [https://github.com/apache/thrift/blob/b75e88a33d67ae05ef9b5fa001d2a63a2effe377/lib/go/thrift/compact_protocol.go#L556-L577]
>  
> Here's more information about this, including a reproducer and initial diagnostics:
> [https://github.com/jaegertracing/jaeger/issues/2638#issuecomment-741848201]
>  
> As mentioned above, I'm still getting all the pieces together, but perhaps you've seen this before or know what might be going on. What I know for sure at the moment is that this happens on malformed payloads, but I would expect the library to have an upper limit on the buffer size.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)