Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 306 by [email protected]: Crash when performing deletion
http://code.google.com/p/memcached/issues/detail?id=306
1) Run memcached 1.4.4 on RHEL6 and pass "-vv"
2) Send binary deletion requests.
memcached will print the key being deleted to stderr (file: memcached.c,
function: process_bin_delete, ll. 2002 ff.):
if (settings.verbose > 1) {
fprintf(stderr, "Deleting %s\n", key);
}
Since the key is not NUL-terminated this may run off the end of the
connexion object's read buffer and cause a seg-fault. Compare the code for
printing the key elsewhere (file: memcached.c, function process_bin_update,
ll. 1842 ff.):
if (settings.verbose > 1) {
int ii;
if (c->cmd == PROTOCOL_BINARY_CMD_ADD) {
fprintf(stderr, "<%d ADD ", c->sfd);
} else if (c->cmd == PROTOCOL_BINARY_CMD_SET) {
fprintf(stderr, "<%d SET ", c->sfd);
} else {
fprintf(stderr, "<%d REPLACE ", c->sfd);
}
for (ii = 0; ii < nkey; ++ii) {
fprintf(stderr, "%c", key[ii]);
}
fprintf(stderr, " Value len is %d", vlen);
fprintf(stderr, "\n");
}
