Comment #4 on issue 158 by marcolslaviero: Single packet DoS on UDP channel
http://code.google.com/p/memcached/issues/detail?id=158
Thanks for the feedback, apologies for supplying a PoC that didn't demo the
issue sufficiently, that was pretty fail for a PoC. However, I believe the
bug to still be present, as I'll show below. I'm less sure as to the cause:
large packet sizes trigger the bug sooner, but using a packet size of 10
also triggers the bug on my side, eventually.
I can trigger the bug on Snow Leopard (Darwin insurrection.local 10.4.0
Darwin Kernel Version 10.4.0: Fri Apr 23 18:28:53 PDT 2010;
root:xnu-1504.7.4~1/RELEASE_I386 i386) by running the PoC four times (works
for both ascii and binary protocols) using a packet size of 1200. This too
is the case on Linux, repeating the PoC four times triggers the bug.
Below is an OSX backtrace after the bug had been triggered, and memcached
was consuming full CPU:
(gdb) bt
#0 0x00007fff85ab508a in kevent ()
#1 0x00000001000300e3 in kq_dispatch ()
#2 0x000000010002380e in event_base_loop ()
#3 0x0000000100002be7 in main (argc=3, argv=0x7fff5fbff9b0) at
memcached.c:4681
(Note: the libevent for the OSX version was 1.4.2. Latest libevent was on
Linux)
Not much to go on, I'm afraid.
It may also help to mention that if "-v -v" is enabled then once the bug is
triggered, no further debug messages are printed to the console for UDP
comms. TCP traffic still generates the regular debug notices.
