You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@thrift.apache.org by "Jens Geyer (Jira)" <ji...@apache.org> on 2019/11/20 02:10:00 UTC

[jira] [Resolved] (THRIFT-4682) C++ TBinaryProtocol crashes on port scan

     [ https://issues.apache.org/jira/browse/THRIFT-4682?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jens Geyer resolved THRIFT-4682.
--------------------------------
    Fix Version/s: 0.14.0
       Resolution: Fixed

Committed (with wrong ticket number in the commit message)

> C++ TBinaryProtocol crashes on port scan
> ----------------------------------------
>
>                 Key: THRIFT-4682
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4682
>             Project: Thrift
>          Issue Type: Bug
>          Components: C++ - Library
>    Affects Versions: 0.10.0, 0.11.0
>            Reporter: Michael Patrick
>            Assignee: Jens Geyer
>            Priority: Major
>             Fix For: 0.14.0
>
>         Attachments: TBinaryProtocolKiller.py, THRIFT-4682.diff
>
>
> I'm afraid I don't have the expertise or time to submit a formal Git pull request and test cases, but I feel it's important for the Thrift community to be aware of a serious Denial of Service (DOS) attack vulnerability involving TBinaryProtocol. 
> A commercial port scanner application crashed all C++ Thrift server processes we had listening for TBinaryProcol connections. Investigation showed it was due to an assert verifying the initial packet length.  Crashing the server was as easy as sending an initial 4 bytes of zeroes after the client opens the socket.  I'm attaching a "TBinaryProtocolKiller.py" script that  will kill all C++ ThriftBinaryProtocol servers on an arbitrary IPv4 address within a provided port range. The script can be used to verify the fix.   This problem  does not occur in the  Python BinaryProtocol server;  I don't know about other languages.  The problem is present in 0.10.0 and 0.11.0, and I don't know about earlier releases. 
>  My recommended patch is to simply change the assert to a regular error check, as shown below. 
> {code:java}
> Index: lib/cpp/src/thrift/server/TNonblockingServer.cpp
> ===================================================================
> --- lib/cpp/src/thrift/server/TNonblockingServer.cpp	(revision 75217)
> +++ lib/cpp/src/thrift/server/TNonblockingServer.cpp	(working copy)
> @@ -473,8 +473,13 @@
> return;
> case SOCKET_RECV:
> - // It is an error to be in this state if we already have all the data
> - assert(readBufferPos_ < readWant_);
> + if (!(readBufferPos_ < readWant_)) {
> + GlobalOutput.printf("TNonblockingServer: frame size too short from client %s",
> + tSocket_->getSocketInfo().c_str());
> + close();
> + return;
> + }
> try {
> // Read from the socket{code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)