[jira] [Updated] (THRIFT-3062) C++ TServerSocket invalid port number (over 999999) causes stack corruption
[ https://issues.apache.org/jira/browse/THRIFT-3062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] James E. King, III updated THRIFT-3062: --- Description: In {{TServerSocket::listen()}} a buffer of size 7 is allocated for the string to numeric translation of the port number, defined as {{int}}: {noformat} char port[sizeof(65536) + 1]; ... sprintf(port, %d, port_);{noformat} An input of 100 or more will cause stack corruption. Recommend changing sprintf to something safer, or making a larger buffer. In this case, one can safely allocate a fixed size buffer on the stack to accomodate the largest result possible, avoiding the problem. Alternatively, ensure the input is bound, which is what {{TSocket::localOpen()}} does. was: In {{TServerSocket::listen()}} a buffer of size 7 is allocated for the string to numeric translation of the port number, defined as {{int}}: {noformat} char port[sizeof(65536) + 1]; ... sprintf(port, %d, port_);{noformat} An input of 100 or more will cause stack corruption. Recommend changing sprintf to something safer, or making a larger buffer. In this case, one can safely allocate a fixed size buffer on the stack to accomodate the largest result possible, avoiding the problem. C++ TServerSocket invalid port number (over 99) causes stack corruption --- Key: THRIFT-3062 URL: https://issues.apache.org/jira/browse/THRIFT-3062 Project: Thrift Issue Type: Bug Components: C++ - Library Affects Versions: 0.9.2 Reporter: James E. King, III Labels: security In {{TServerSocket::listen()}} a buffer of size 7 is allocated for the string to numeric translation of the port number, defined as {{int}}: {noformat} char port[sizeof(65536) + 1]; ... sprintf(port, %d, port_);{noformat} An input of 100 or more will cause stack corruption. Recommend changing sprintf to something safer, or making a larger buffer. In this case, one can safely allocate a fixed size buffer on the stack to accomodate the largest result possible, avoiding the problem. Alternatively, ensure the input is bound, which is what {{TSocket::localOpen()}} does. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (THRIFT-3062) C++ TServerSocket invalid port number (over 999999) causes stack corruption
[ https://issues.apache.org/jira/browse/THRIFT-3062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] James E. King, III updated THRIFT-3062: --- Attachment: THRIFT-3062.patch I have attached a patch for this. Note that this particular patch depends on my patch in THRIFT-1025 being applied first because that one adds unit testing on new code introduced to TServerSocket, and this patch extends the unit test for TServerSocket with an additional test case. C++ TServerSocket invalid port number (over 99) causes stack corruption --- Key: THRIFT-3062 URL: https://issues.apache.org/jira/browse/THRIFT-3062 Project: Thrift Issue Type: Bug Components: C++ - Library Affects Versions: 0.9.2 Reporter: James E. King, III Labels: security Attachments: THRIFT-3062.patch In {{TServerSocket::listen()}} a buffer of size 7 is allocated for the string to numeric translation of the port number, defined as {{int}}: {noformat} char port[sizeof(65536) + 1]; ... sprintf(port, %d, port_);{noformat} An input of 100 or more will cause stack corruption. Recommend changing sprintf to something safer, or making a larger buffer. In this case, one can safely allocate a fixed size buffer on the stack to accomodate the largest result possible, avoiding the problem. Alternatively, ensure the input is bound, which is what {{TSocket::localOpen()}} does. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (THRIFT-3062) C++ TServerSocket invalid port number (over 999999) causes stack corruption
[ https://issues.apache.org/jira/browse/THRIFT-3062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Jens Geyer updated THRIFT-3062: --- Labels: security (was: ) C++ TServerSocket invalid port number (over 99) causes stack corruption --- Key: THRIFT-3062 URL: https://issues.apache.org/jira/browse/THRIFT-3062 Project: Thrift Issue Type: Bug Components: C++ - Library Affects Versions: 0.9.2 Reporter: James E. King, III Labels: security In {{TServerSocket::listen()}} a buffer of size 7 is allocated for the string to numeric translation of the port number, defined as {{int}}: {noformat} char port[sizeof(65536) + 1]; ... sprintf(port, %d, port_);{noformat} An input of 100 or more will cause stack corruption. Recommend changing sprintf to something safer, or making a larger buffer. In this case, one can safely allocate a fixed size buffer on the stack to accomodate the largest result possible, avoiding the problem. -- This message was sent by Atlassian JIRA (v6.3.4#6332)