CVE-2019-3553: 
Apache Thrift vulnerability analysis and mitigation

CVE-2019-3553 affects C++ Facebook Thrift servers, where the servers would not error upon receiving messages declaring containers of sizes larger than the payload. The vulnerability was discovered in Facebook's Thrift implementation and was disclosed in March 2020 (NVD).

The vulnerability stems from how the Thrift servers handle container size declarations in messages. When reading container sizes, the servers would blindly pre-allocate containers without verifying if the actual payload contained sufficient data. This could allow an attacker to send a small message that declares a large container size, causing the server to allocate excessive amounts of memory. The issue was present in both container handling and string reading operations (Github Commit, Github String Fix).

The vulnerability could be exploited to cause denial of service conditions by forcing servers to allocate large amounts of memory (multiple gigabytes) while only sending a few bytes of actual data. This could potentially lead to server resource exhaustion and system instability (Github Commit).

The issue was fixed by implementing proper size validation before memory allocation. The fix includes checking if there is at least 1 byte per element in the buffer for containers, and verifying the actual data availability before allocating memory for strings. Updates were released that implement these checks to prevent malicious memory allocation (Github Commit, Github String Fix).