Updates:
Status: Started
Owner: trond.norbye
Comment #1 on issue 102 by trond.norbye: PIping null to the server will
crash it
http://code.google.com/p/memcached/issues/detail?id=102
The problem here is that the client will try to spool the data it receives
from the
client until it receives '\n' (indicating that it got the complete
command). In this
case we never receive '\n' so we end up reallocating the input buffer until
realloc
fails, causing the client connection to be shut down. My server didn't
crash, but
that could be caused other mallocs succeeding (and failing in your case).
There might
therefore be a path through the code that doesn't handle a malloc failure.
To protect us against someone eating up all of the memory in one buffer, I
suggest
that we just shut down the connection if we receive more than
KEY_MAX_LENGTH + let's
say 100 bytes (command, flags, length, cas etc) without seeing '\n'.
Another part of the problem is try_read_network. in this function we try to
read out
all of the data from the socket reallocating the input buffer to a bigger
buffer if
there is more data available. In the test-case above we might never break
out of this
loop, because one core can fill the buffer while the other core on the
system is busy
reading and reallocating. As a workaround for this we should jump back out
after a
low number of reallocs.
Proposed fix at: http://github.com/trondn/memcached/tree/issue_102
--
You received this message because you are listed in the owner
or CC fields of this issue, or because you starred this issue.
You may adjust your issue notification preferences at:
http://code.google.com/hosting/settings
