[jira] [Updated] (THRIFT-3062) C++ TServerSocket invalid port number (over 999999) causes stack corruption

2015-03-31 Thread James E. King, III (JIRA) 

 [ 
https://issues.apache.org/jira/browse/THRIFT-3062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James E. King, III updated THRIFT-3062:
---
Description: 
In {{TServerSocket::listen()}} a buffer of size 7 is allocated for the string 
to numeric translation of the port number, defined as {{int}}:
{noformat}  char port[sizeof(65536) + 1];
  ...
  sprintf(port, %d, port_);{noformat}
An input of 100 or more will cause stack corruption.  Recommend changing 
sprintf to something safer, or making a larger buffer.  In this case, one can 
safely allocate a fixed size buffer on the stack to accomodate the largest 
result possible, avoiding the problem.  Alternatively, ensure the input is 
bound, which is what {{TSocket::localOpen()}} does.

  was:
In {{TServerSocket::listen()}} a buffer of size 7 is allocated for the string 
to numeric translation of the port number, defined as {{int}}:
{noformat}  char port[sizeof(65536) + 1];
  ...
  sprintf(port, %d, port_);{noformat}
An input of 100 or more will cause stack corruption.  Recommend changing 
sprintf to something safer, or making a larger buffer.  In this case, one can 
safely allocate a fixed size buffer on the stack to accomodate the largest 
result possible, avoiding the problem.



 C++ TServerSocket invalid port number (over 99) causes stack corruption
 ---

 Key: THRIFT-3062
 URL: https://issues.apache.org/jira/browse/THRIFT-3062
 Project: Thrift
  Issue Type: Bug
  Components: C++ - Library
Affects Versions: 0.9.2
Reporter: James E. King, III
  Labels: security

 In {{TServerSocket::listen()}} a buffer of size 7 is allocated for the string 
 to numeric translation of the port number, defined as {{int}}:
 {noformat}  char port[sizeof(65536) + 1];
   ...
   sprintf(port, %d, port_);{noformat}
 An input of 100 or more will cause stack corruption.  Recommend changing 
 sprintf to something safer, or making a larger buffer.  In this case, one can 
 safely allocate a fixed size buffer on the stack to accomodate the largest 
 result possible, avoiding the problem.  Alternatively, ensure the input is 
 bound, which is what {{TSocket::localOpen()}} does.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (THRIFT-3062) C++ TServerSocket invalid port number (over 999999) causes stack corruption

2015-03-31 Thread James E. King, III (JIRA) 

 [ 
https://issues.apache.org/jira/browse/THRIFT-3062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

James E. King, III updated THRIFT-3062:
---
Attachment: THRIFT-3062.patch

I have attached a patch for this.  Note that this particular patch depends on 
my patch in THRIFT-1025 being applied first because that one adds unit testing 
on new code introduced to TServerSocket, and this patch extends the unit test 
for TServerSocket with an additional test case.

 C++ TServerSocket invalid port number (over 99) causes stack corruption
 ---

 Key: THRIFT-3062
 URL: https://issues.apache.org/jira/browse/THRIFT-3062
 Project: Thrift
  Issue Type: Bug
  Components: C++ - Library
Affects Versions: 0.9.2
Reporter: James E. King, III
  Labels: security
 Attachments: THRIFT-3062.patch


 In {{TServerSocket::listen()}} a buffer of size 7 is allocated for the string 
 to numeric translation of the port number, defined as {{int}}:
 {noformat}  char port[sizeof(65536) + 1];
   ...
   sprintf(port, %d, port_);{noformat}
 An input of 100 or more will cause stack corruption.  Recommend changing 
 sprintf to something safer, or making a larger buffer.  In this case, one can 
 safely allocate a fixed size buffer on the stack to accomodate the largest 
 result possible, avoiding the problem.  Alternatively, ensure the input is 
 bound, which is what {{TSocket::localOpen()}} does.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Updated] (THRIFT-3062) C++ TServerSocket invalid port number (over 999999) causes stack corruption

2015-03-30 Thread Jens Geyer (JIRA) 

 [ 
https://issues.apache.org/jira/browse/THRIFT-3062?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jens Geyer updated THRIFT-3062:
---
Labels: security  (was: )

 C++ TServerSocket invalid port number (over 99) causes stack corruption
 ---

 Key: THRIFT-3062
 URL: https://issues.apache.org/jira/browse/THRIFT-3062
 Project: Thrift
  Issue Type: Bug
  Components: C++ - Library
Affects Versions: 0.9.2
Reporter: James E. King, III
  Labels: security

 In {{TServerSocket::listen()}} a buffer of size 7 is allocated for the string 
 to numeric translation of the port number, defined as {{int}}:
 {noformat}  char port[sizeof(65536) + 1];
   ...
   sprintf(port, %d, port_);{noformat}
 An input of 100 or more will cause stack corruption.  Recommend changing 
 sprintf to something safer, or making a larger buffer.  In this case, one can 
 safely allocate a fixed size buffer on the stack to accomodate the largest 
 result possible, avoiding the problem.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)