[jira] [Resolved] (THRIFT-4682) C++ TBinaryProtocol crashes on port scan

Tue, 19 Nov 2019 18:10:58 -0800 


     [ 
https://issues.apache.org/jira/browse/THRIFT-4682?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jens Geyer resolved THRIFT-4682.
--------------------------------
    Fix Version/s: 0.14.0
       Resolution: Fixed

Committed (with wrong ticket number in the commit message)

> C++ TBinaryProtocol crashes on port scan
> ----------------------------------------
>
>                 Key: THRIFT-4682
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4682
>             Project: Thrift
>          Issue Type: Bug
>          Components: C++ - Library
>    Affects Versions: 0.10.0, 0.11.0
>            Reporter: Michael Patrick
>            Assignee: Jens Geyer
>            Priority: Major
>             Fix For: 0.14.0
>
>         Attachments: TBinaryProtocolKiller.py, THRIFT-4682.diff
>
>
> I'm afraid I don't have the expertise or time to submit a formal Git pull 
> request and test cases, but I feel it's important for the Thrift community to 
> be aware of a serious Denial of Service (DOS) attack vulnerability involving 
> TBinaryProtocol. 
> A commercial port scanner application crashed all C++ Thrift server processes 
> we had listening for TBinaryProcol connections. Investigation showed it was 
> due to an assert verifying the initial packet length.  Crashing the server 
> was as easy as sending an initial 4 bytes of zeroes after the client opens 
> the socket.  I'm attaching a "TBinaryProtocolKiller.py" script that  will 
> kill all C++ ThriftBinaryProtocol servers on an arbitrary IPv4 address within 
> a provided port range. The script can be used to verify the fix.   This 
> problem  does not occur in the  Python BinaryProtocol server;  I don't know 
> about other languages.  The problem is present in 0.10.0 and 0.11.0, and I 
> don't know about earlier releases. 
>  My recommended patch is to simply change the assert to a regular error 
> check, as shown below. 
> {code:java}
> Index: lib/cpp/src/thrift/server/TNonblockingServer.cpp
> ===================================================================
> --- lib/cpp/src/thrift/server/TNonblockingServer.cpp  (revision 75217)
> +++ lib/cpp/src/thrift/server/TNonblockingServer.cpp  (working copy)
> @@ -473,8 +473,13 @@
> return;
> case SOCKET_RECV:
> - // It is an error to be in this state if we already have all the data
> - assert(readBufferPos_ < readWant_);
> + if (!(readBufferPos_ < readWant_)) {
> + GlobalOutput.printf("TNonblockingServer: frame size too short from client 
> %s",
> + tSocket_->getSocketInfo().c_str());
> + close();
> + return;
> + }
> try {
> // Read from the socket{code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to