[jira] [Updated] (THRIFT-4928) Sensitive information about expected and actual reading lengths (len, got) is leaked from TIOStreamTransport to TTransport through a TTransportException

xiaoqin.fu (JIRA) Sat, 17 Aug 2019 09:45:26 -0700


     [ 
https://issues.apache.org/jira/browse/THRIFT-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


xiaoqin.fu updated THRIFT-4928:
-------------------------------
    Description: 
   Operations: During Apache Thrift integration testing, I developed a 
calculator application with a client and a server. The client sent a 
computational command and get the result from the server. After I applied 
dynamic taint analyzer (distTaint), I found bugs from taint paths finally.

  The source: org.apache.thrift.transport.TIOStreamTransport:
    public int read(byte[] buf, int off, int len) throws TTransportException {
    if (inputStream_ == null) {
      throw new TTransportException(TTransportException.NOT_OPEN, "Cannot read 
from null inputStream");
    }
    int bytesRead;
        ......
      bytesRead = inputStream_.read(buf, off, len);
        ......
  }
  
  The sink: org.apache.thrift.transport.TTransport, 
  public int readAll(byte[] buf, int off, int len)
        throws TTransportException {
        ......  
        if (ret <= 0) {
                throw new TTransportException(
                "Cannot read. Remote side has closed. Tried to read "
                        + len
                        + " bytes, but only got "
                        + got
                        + " bytes. (This is often indicative of an internal 
error on the server side. Please check your server logs.)");
                }
        ......
  }
  Sensitive information about expected and actual reading lengths (len, got) is 
leaked.
  The tainted path:
   org.apache.thrift.transport.TIOStreamTransport --> 
   org.apache.thrift.transport.TTransport
   
I am going to submit a CVE, so please confirm this is not a true positive.

  was:
  The source: org.apache.thrift.transport.TIOStreamTransport:
    public int read(byte[] buf, int off, int len) throws TTransportException {
    if (inputStream_ == null) {
      throw new TTransportException(TTransportException.NOT_OPEN, "Cannot read 
from null inputStream");
    }
    int bytesRead;
        ......
      bytesRead = inputStream_.read(buf, off, len);
        ......
  }
  
  The sink: org.apache.thrift.transport.TTransport, 
  public int readAll(byte[] buf, int off, int len)
        throws TTransportException {
        ......  
        if (ret <= 0) {
                throw new TTransportException(
                "Cannot read. Remote side has closed. Tried to read "
                        + len
                        + " bytes, but only got "
                        + got
                        + " bytes. (This is often indicative of an internal 
error on the server side. Please check your server logs.)");
                }
        ......
  }
  Sensitive information about expected and actual reading lengths (len, got) is 
leaked.
  The tainted path:
   org.apache.thrift.transport.TIOStreamTransport --> 
   org.apache.thrift.transport.TTransport
   


> Sensitive information about expected and actual reading lengths (len, got) is 
> leaked from TIOStreamTransport to TTransport through a TTransportException
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: THRIFT-4928
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4928
>             Project: Thrift
>          Issue Type: Bug
>          Components: Java - Library
>    Affects Versions: 0.11.0, 0.12.0
>         Environment:  Ubuntu 16.04.3 LTS
>       Open JDK version "1.8.0_191" build 25.191-b12
>            Reporter: xiaoqin.fu
>            Priority: Major
>
>    Operations: During Apache Thrift integration testing, I developed a 
> calculator application with a client and a server. The client sent a 
> computational command and get the result from the server. After I applied 
> dynamic taint analyzer (distTaint), I found bugs from taint paths finally.
>   The source: org.apache.thrift.transport.TIOStreamTransport:
>     public int read(byte[] buf, int off, int len) throws TTransportException {
>     if (inputStream_ == null) {
>       throw new TTransportException(TTransportException.NOT_OPEN, "Cannot 
> read from null inputStream");
>     }
>     int bytesRead;
>       ......
>       bytesRead = inputStream_.read(buf, off, len);
>       ......
>   }
>   
>   The sink: org.apache.thrift.transport.TTransport, 
>   public int readAll(byte[] buf, int off, int len)
>       throws TTransportException {
>       ......  
>       if (ret <= 0) {
>               throw new TTransportException(
>               "Cannot read. Remote side has closed. Tried to read "
>                       + len
>                       + " bytes, but only got "
>                       + got
>                       + " bytes. (This is often indicative of an internal 
> error on the server side. Please check your server logs.)");
>               }
>       ......
>   }
>   Sensitive information about expected and actual reading lengths (len, got) 
> is leaked.
>   The tainted path:
>    org.apache.thrift.transport.TIOStreamTransport --> 
>    org.apache.thrift.transport.TTransport
>    
> I am going to submit a CVE, so please confirm this is not a true positive.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

[jira] [Updated] (THRIFT-4928) Sensitive information about expected and actual reading lengths (len, got) is leaked from TIOStreamTransport to TTransport through a TTransportException

Reply via email to