[jira] [Commented] (THRIFT-3978) Thrift C++ runtime uses assert to prevent overflows, checks sanity only in debug builds

Sat, 01 Apr 2017 08:01:00 -0700 

    [ 
https://issues.apache.org/jira/browse/THRIFT-3978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15952261#comment-15952261
 ] 

ASF GitHub Bot commented on THRIFT-3978:
----------------------------------------

Github user jeking3 commented on the issue:

    https://github.com/apache/thrift/pull/1228
  
    For anybody interested in reviewing this pull request, I pretty much 
followed the logic that boost::mutex is using with one exception.  In cases 
where boost ignores an error condition to avoid throwing in a destructor, I 
have instead preferred to abort the process.  My thought process on this is 
that should mutex destruction return EBUSY or EINVAL, it is a design flaw in 
the implementation using the Mutex class.  EBUSY means we tried to delete the 
mutex while it was locked.  EINVAL means it may have been destroyed twice.  In 
either case, getting a core is way more useful than silently letting the issue 
pass by in a release build.


> Thrift C++ runtime uses assert to prevent overflows, checks sanity only in 
> debug builds
> ---------------------------------------------------------------------------------------
>
>                 Key: THRIFT-3978
>                 URL: https://issues.apache.org/jira/browse/THRIFT-3978
>             Project: Thrift
>          Issue Type: Bug
>          Components: C++ - Library
>    Affects Versions: 0.10.0
>         Environment: All
>            Reporter: James E. King, III
>            Assignee: James E. King, III
>              Labels: security
>
> Currently there is widespread use of assert in the thrift C++ runtime 
> library.  Some of the more disturbing cases are security related, for example 
> checking header sizes.  I recommend we eliminate assertions that are only 
> checked in debug mode, and instead throw the appropriate exception, usually a 
> TTransportException with CORRUPTED_DATA as the reason.  If we're going to 
> check for an overflow or a buffer overrun, we should do so in debug and 
> release modes.  Further, assertions are not easily tested whereas exceptions 
> are.
> In THRIFT-3873 apache::thrift::transport::safe_numeric_cast was added, so I 
> also suggest changing static_cast to safe_numeric_cast where appropriate 
> throughout the transport code to catch any overflow errors.
> Another location where assert is used liberally is inside the posix Mutex 
> implementation.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to