[
https://issues.apache.org/jira/browse/THRIFT-3978?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James E. King, III updated THRIFT-3978:
---------------------------------------
Description:
Currently there is widespread use of assert in the thrift C++ runtime library.
Some of the more disturbing cases are security related, for example checking
header sizes. I recommend we eliminate assertions that are only checked in
debug mode, and instead throw the appropriate exception, usually a
TTransportException with CORRUPTED_DATA as the reason. If we're going to check
for an overflow or a buffer overrun, we should do so in debug and release
modes. Further, assertions are not easily tested whereas exceptions are.
In THRIFT-3873 apache::thrift::transport::safe_numeric_cast was added, so I
also suggest changing static_cast to safe_numeric_cast where appropriate
throughout the transport code to catch any overflow errors.
was:Currently there is widespread use of assert in the thrift C++ runtime
library. Some of the more disturbing cases are security related, for example
checking header sizes. I recommend we eliminate assertions that are only
checked in debug mode, and instead throw the appropriate exception, usually a
TTransportException with CORRUPTED_DATA as the reason. If we're going to check
for an overflow or a buffer overrun, we should do so in debug and release
modes. Further, assertions are not easily tested whereas exceptions are.
> Thrift C++ runtime uses assert to prevent overflows, checks sanity only in
> debug builds
> ---------------------------------------------------------------------------------------
>
> Key: THRIFT-3978
> URL: https://issues.apache.org/jira/browse/THRIFT-3978
> Project: Thrift
> Issue Type: Bug
> Components: C++ - Library
> Affects Versions: 0.10.0
> Environment: All
> Reporter: James E. King, III
> Assignee: James E. King, III
> Labels: security
>
> Currently there is widespread use of assert in the thrift C++ runtime
> library. Some of the more disturbing cases are security related, for example
> checking header sizes. I recommend we eliminate assertions that are only
> checked in debug mode, and instead throw the appropriate exception, usually a
> TTransportException with CORRUPTED_DATA as the reason. If we're going to
> check for an overflow or a buffer overrun, we should do so in debug and
> release modes. Further, assertions are not easily tested whereas exceptions
> are.
> In THRIFT-3873 apache::thrift::transport::safe_numeric_cast was added, so I
> also suggest changing static_cast to safe_numeric_cast where appropriate
> throughout the transport code to catch any overflow errors.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
