Skip to content

Commit

Permalink
handle invalid metadata payload correctly
Browse files Browse the repository at this point in the history 
Summary:
After deserialize metadata, cursor location should match `frame.payload().metadataSize())` rather than just not greater than it.

Current logic may allow invalid setup frame to go through.

Reviewed By: tlj77

Differential Revision: D62332462

fbshipit-source-id: 2829f1e08f7167d438f2d9b06977e05d26406e6a
  • Loading branch information
@avalonalex @facebook-github-bot
avalonalex authored and facebook-github-bot committed Sep 7, 2024
1 parent e3875b8 commit 8a3ea75
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions thrift/lib/cpp2/transport/rocket/server/ThriftRocketServerHandler.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,7 +210,7 @@ void ThriftRocketServerHandler::handleSetupFrame(
reader.setInput(cursor);
// Throws on read error
meta.read(&reader);
if (reader.getCursorPosition() > frame.payload().metadataSize()) {
if (reader.getCursorPosition() != frame.payload().metadataSize()) {
return connection.close(folly::make_exception_wrapper<RocketException>(
ErrorCode::INVALID_SETUP,
"Error deserializing SETUP payload: underflow"));
Expand All @@ -220,7 +220,7 @@ void ThriftRocketServerHandler::handleSetupFrame(
reader.setInput(cursor);
// Throws on read error
meta.read(&reader);
if (reader.getCursorPosition() > frame.payload().metadataSize()) {
if (reader.getCursorPosition() != frame.payload().metadataSize()) {
return connection.close(folly::make_exception_wrapper<RocketException>(
ErrorCode::INVALID_SETUP,
"Error deserializing SETUP payload: underflow"));
Expand Down

0 comments on commit 8a3ea75

Please sign in to comment.