You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@thrift.apache.org by "Qinghui Xu (Jira)" <ji...@apache.org> on 2019/10/16 18:57:00 UTC
[jira] [Commented] (THRIFT-4928) Sensitive information about
expected and actual reading lengths (len, got) is leaked from
TIOStreamTransport to TTransport through a TTransportException
[ https://issues.apache.org/jira/browse/THRIFT-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16953108#comment-16953108 ]
Qinghui Xu commented on THRIFT-4928:
------------------------------------
It seems to me there are a lot of duplicated tickets
# THRIFT-4922
# THRIFT-4923
# THRIFT-4924
# THRIFT-4925
# THRIFT-4926
# THRIFT-4929
I would suggest to close them and keep discussion here.
> Sensitive information about expected and actual reading lengths (len, got) is leaked from TIOStreamTransport to TTransport through a TTransportException
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: THRIFT-4928
> URL: https://issues.apache.org/jira/browse/THRIFT-4928
> Project: Thrift
> Issue Type: Bug
> Components: Java - Library
> Affects Versions: 0.11.0, 0.12.0
> Environment: Ubuntu 16.04.3 LTS
> Open JDK version "1.8.0_191" build 25.191-b12
> Reporter: xiaoqin.fu
> Priority: Major
>
> Operations: During Apache Thrift integration testing, I developed a calculator application with a client and a server. The client sent a computational command and get the result from the server. After I applied dynamic taint analyzer (distTaint), I found bugs from taint paths finally.
> The source: org.apache.thrift.transport.TIOStreamTransport:
> public int read(byte[] buf, int off, int len) throws TTransportException {
> if (inputStream_ == null) {
> throw new TTransportException(TTransportException.NOT_OPEN, "Cannot read from null inputStream");
> }
> int bytesRead;
> ......
> bytesRead = inputStream_.read(buf, off, len);
> ......
> }
>
> The sink: org.apache.thrift.transport.TTransport,
> public int readAll(byte[] buf, int off, int len)
> throws TTransportException {
> ......
> if (ret <= 0) {
> throw new TTransportException(
> "Cannot read. Remote side has closed. Tried to read "
> + len
> + " bytes, but only got "
> + got
> + " bytes. (This is often indicative of an internal error on the server side. Please check your server logs.)");
> }
> ......
> }
> Sensitive information about expected and actual reading lengths (len, got) is leaked.
> The tainted path:
> org.apache.thrift.transport.TIOStreamTransport -->
> org.apache.thrift.transport.TTransport
>
> I am going to submit a CVE, so please confirm this is not a true positive.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)