thrift-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "pengzhouhu (Jira)" <j...@apache.org>
Subject [jira] [Commented] (THRIFT-4928) Sensitive information about expected and actual reading lengths (len, got) is leaked from TIOStreamTransport to TTransport through a TTransportException
Date Sat, 07 Sep 2019 13:09:00 GMT

    [ https://issues.apache.org/jira/browse/THRIFT-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16924869#comment-16924869
] 

pengzhouhu commented on THRIFT-4928:
------------------------------------

[~jensg][~xiaoqin.fu] i think push a public CVE before talk about it in jira is not a good
idea, it will be a little negative.

If you worry about it, i`m happy to work together with to solve this problem.

as my experiense, the bugs from taint paths always exist in special using method.

we need more information to repeat that situation.

> Sensitive information about expected and actual reading lengths (len, got) is leaked
from TIOStreamTransport to TTransport through a TTransportException
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: THRIFT-4928
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4928
>             Project: Thrift
>          Issue Type: Bug
>          Components: Java - Library
>    Affects Versions: 0.11.0, 0.12.0
>         Environment: 	Ubuntu 16.04.3 LTS
> 	Open JDK version "1.8.0_191" build 25.191-b12
>            Reporter: xiaoqin.fu
>            Priority: Major
>
>    Operations: During Apache Thrift integration testing, I developed a calculator application
with a client and a server. The client sent a computational command and get the result from
the server. After I applied dynamic taint analyzer (distTaint), I found bugs from taint paths
finally.
>   The source: org.apache.thrift.transport.TIOStreamTransport:
>     public int read(byte[] buf, int off, int len) throws TTransportException {
>     if (inputStream_ == null) {
>       throw new TTransportException(TTransportException.NOT_OPEN, "Cannot read from null
inputStream");
>     }
>     int bytesRead;
> 	......
>       bytesRead = inputStream_.read(buf, off, len);
> 	......
>   }
>   
>   The sink: org.apache.thrift.transport.TTransport, 
>   public int readAll(byte[] buf, int off, int len)
> 	throws TTransportException {
> 	......	
> 	if (ret <= 0) {
> 		throw new TTransportException(
> 		"Cannot read. Remote side has closed. Tried to read "
> 			+ len
> 			+ " bytes, but only got "
> 			+ got
> 			+ " bytes. (This is often indicative of an internal error on the server side. Please
check your server logs.)");
> 		}
> 	......
>   }
>   Sensitive information about expected and actual reading lengths (len, got) is leaked.
>   The tainted path:
>    org.apache.thrift.transport.TIOStreamTransport --> 
>    org.apache.thrift.transport.TTransport
>    
> I am going to submit a CVE, so please confirm this is not a true positive.



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

Mime
View raw message