You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@thrift.apache.org by "James E. King, III (JIRA)" <ji...@apache.org> on 2015/07/29 23:40:04 UTC

[jira] [Commented] (THRIFT-2006) TBinaryProtocol message header call name length is not validated and can be used to core the server

    [ https://issues.apache.org/jira/browse/THRIFT-2006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14646796#comment-14646796 ] 

James E. King, III commented on THRIFT-2006:
--------------------------------------------

>From [~ben.craig]:
{quote}
This doesn't answer your question exactly... but there are some maximum frame sizes (TNonblockingServer::MAX_FRAME_SIZE) scattered throughout the code base. 

TBinaryProtocol.tcc has a 'string_limit_' field, that I think does what you want. 
{quote}

> TBinaryProtocol message header call name length is not validated and can be used to core the server
> ---------------------------------------------------------------------------------------------------
>
>                 Key: THRIFT-2006
>                 URL: https://issues.apache.org/jira/browse/THRIFT-2006
>             Project: Thrift
>          Issue Type: Bug
>          Components: C++ - Library
>    Affects Versions: 0.8
>         Environment: SUSE linux
>            Reporter: leeto
>            Priority: Critical
>              Labels: DenialOfService
>
> When use "Nessus" tool scan the server, got below core file:
> Program terminated with signal 11, Segmentation fault.
> #0  0xf6a97d36 in memcpy () from /lib/libc.so.6
> (gdb) bt
> #0  0xf6a97d36 in memcpy () from /lib/libc.so.6
> #1  0x3d5c9c24 in ?? ()
> #2  0xf5c2096e in apache::thrift::transport::TVirtualTransport<apache::thrift::transport::TBufferedTransport, apache::thrift::transport::TBufferBase>::readAll_virt(unsigned char*, unsigned int) () from /var/opt/lib/libloggingsynchronizer.so
> #3  0xf5c20d2c in apache::thrift::protocol::TBinaryProtocolT<apache::thrift::transport::TTransport>::readStringBody(std::string&, int) ()
>    from /var/opt/lib/libloggingsynchronizer.so
> #4  0xf5c2139b in apache::thrift::protocol::TBinaryProtocolT<apache::thrift::transport::TTransport>::readMessageBegin(std::string&, apache::thrift::protocol::TMessageType&, int&) () from /var/opt/lib/libloggingsynchronizer.so
> #5  0xf5c215e2 in apache::thrift::protocol::TVirtualProtocol<apache::thrift::protocol::TBinaryProtocolT<apache::thrift::transport::TTransport>, apache::thrift::protocol::TProtocolDefaults>::readMessageBegin_virt(std::string&, apache::thrift::protocol::TMessageType&, int&) ()
>    from /var/opt/lib/libloggingsynchronizer.so
> #6  0xf5c182ad in Logging::LoggingConfigSynchronizerProcessor::process(boost::shared_ptr<apache::thrift::protocol::TProtocol>, boost::shared_ptr<apache::thrift::protocol::TProtocol>, void*) () from /var/opt/lib/libloggingsynchronizer.so
> #7  0xed2b0d5b in apache::thrift::server::TSimpleServer::serve (this=0xf60eeba0) at src/server/TSimpleServer.cpp:103
> #8  0xf5c1b378 in Logging::Synchronizer::serve() () from /var/opt/lib/libloggingsynchronizer.so



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)