fix info-header string bound check in THeaderTransport::readString#3610
fix info-header string bound check in THeaderTransport::readString#3610dxbjavid wants to merge 2 commits into
Conversation
|
Pls read your email. Now. |
Code reviewFound 3 issues (adversarially verified with failing tests):
Lines 345–347 of the new test describe the byte-level overread path in terms that name the exact exploitation mechanism. AGENTS.md §6 requires neutral functional language in inline comments; the description of what the old code allowed to happen should be rephrased in terms of the invariant being enforced rather than the failure mode. thrift/lib/cpp/test/ThrifttReadCheckTests.cpp Lines 345 to 347 in 5c190a7 Verified: text absent from base commit
The new guard catches negative thrift/lib/cpp/src/thrift/transport/THeaderTransport.cpp Lines 205 to 206 in 5c190a7 Verified: Docker test confirmed the path is reachable and behaves differently on base vs. PR code.
Moving thrift/lib/cpp/src/thrift/transport/THeaderTransport.cpp Lines 204 to 209 in 5c190a7 Verified: Docker two-state proof via subclass harness — assertion that 🤖 Generated with Claude Code - If this code review was useful, please react with 👍. Otherwise, react with 👎. |
Client: cpp when reading the key/value info headers of a THeader frame, readString reads the length varint and then bounds it against the bytes left in the header section. the comparison uses ptr before it is moved past the varint, so the remaining count is overstated by the width of the length field, and a negative length (a varint with the high bit set) is not rejected at all. with a header section sized to fill the receive buffer, either case lets a wire-supplied length exceed the header bytes that are actually present. bound the length against the position that follows the varint, reject a negative length, and only advance ptr once those checks pass so the documented advance-on-success behaviour still holds. regression tests covering both the oversized and the negative length are added to ThrifttReadCheckTests.
5c190a7 to
050a1ce
Compare
|
all three addressed in the latest push.
also read your email, thanks. |
Client: cpp Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
|
Thank you @Jens-G. Appreciated. |
The info-header string length is bounded against the header section before
ptrmoves past the length varint, so the remaining count is overstated by the varint width and a negative length is never rejected. A regression test is added toThrifttReadCheckTests.[skip ci]anywhere in the commit message to free up build resources.