CVE-2019-11938

An unauthenticated attacker sends a crafted Thrift message over the network declaring a container (list, set, or map) with an extremely large size but providing only a small payload. The server reads the size field and immediately allocates memory proportional to that declared size without verifying that the remaining frame bytes can actually contain that many elements. This causes a large memory allocation from a short message, leading to denial of service via memory exhaustion. The attack requires no authentication and can be performed over any network path reachable to the Thrift server. [CWE-789] [ref_id=1]

The vulnerability exists in the Java Thrift protocol deserialization code, specifically in `TBinaryProtocol.java` and `TCompactProtocol.java` within the `readMapBegin()`, `readListBegin()`, and `readSetBegin()` methods. These methods read container size fields from the wire without validating that the remaining frame data is sufficient to hold the declared number of elements. The fix introduces `ensureContainerHasEnough()` and `ensureMapHasEnough()` checks in the base `TProtocol.java` class, along with `typeMinimumSize()` overrides for each protocol variant.

The patch adds `ensureContainerHasEnough(size, type)` and `ensureMapHasEnough(size, keyType, valueType)` methods to the base `TProtocol` class. These methods compute the minimum number of remaining bytes required to deserialize the declared container elements (using `typeMinimumSize()` to get the smallest possible encoding size per element) and compare that against `trans_.getBytesRemainingInBuffer()`. If the remaining bytes are insufficient, a `TProtocolException` is thrown instead of proceeding with the oversized allocation. Each protocol subclass overrides `typeMinimumSize()` to return the correct minimum byte size for its encoding format (e.g., 1 byte for variable-length integers in compact protocol). This prevents the server from allocating memory for containers whose declared size exceeds the actual available data. [ref_id=1] [ref_id=2]