thrift-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jens Geyer (Jira)" <j...@apache.org>
Subject [jira] [Commented] (THRIFT-4928) Sensitive information about expected and actual reading lengths (len, got) is leaked from TIOStreamTransport to TTransport through a TTransportException
Date Wed, 18 Sep 2019 17:55:00 GMT

    [ https://issues.apache.org/jira/browse/THRIFT-4928?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16932717#comment-16932717
] 

Jens Geyer commented on THRIFT-4928:
------------------------------------

[~q.xu] I have my own theory about that, but I certainly will not share it here. :)

> Sensitive information about expected and actual reading lengths (len, got) is leaked
from TIOStreamTransport to TTransport through a TTransportException
> --------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: THRIFT-4928
>                 URL: https://issues.apache.org/jira/browse/THRIFT-4928
>             Project: Thrift
>          Issue Type: Bug
>          Components: Java - Library
>    Affects Versions: 0.11.0, 0.12.0
>         Environment: 	Ubuntu 16.04.3 LTS
> 	Open JDK version "1.8.0_191" build 25.191-b12
>            Reporter: xiaoqin.fu
>            Priority: Major
>
>    Operations: During Apache Thrift integration testing, I developed a calculator application
with a client and a server. The client sent a computational command and get the result from
the server. After I applied dynamic taint analyzer (distTaint), I found bugs from taint paths
finally.
>   The source: org.apache.thrift.transport.TIOStreamTransport:
>     public int read(byte[] buf, int off, int len) throws TTransportException {
>     if (inputStream_ == null) {
>       throw new TTransportException(TTransportException.NOT_OPEN, "Cannot read from null
inputStream");
>     }
>     int bytesRead;
> 	......
>       bytesRead = inputStream_.read(buf, off, len);
> 	......
>   }
>   
>   The sink: org.apache.thrift.transport.TTransport, 
>   public int readAll(byte[] buf, int off, int len)
> 	throws TTransportException {
> 	......	
> 	if (ret <= 0) {
> 		throw new TTransportException(
> 		"Cannot read. Remote side has closed. Tried to read "
> 			+ len
> 			+ " bytes, but only got "
> 			+ got
> 			+ " bytes. (This is often indicative of an internal error on the server side. Please
check your server logs.)");
> 		}
> 	......
>   }
>   Sensitive information about expected and actual reading lengths (len, got) is leaked.
>   The tainted path:
>    org.apache.thrift.transport.TIOStreamTransport --> 
>    org.apache.thrift.transport.TTransport
>    
> I am going to submit a CVE, so please confirm this is not a true positive.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message