Comment #4 on issue 27 by [email protected]: 1.3.2 stats call can result in
segfault due to buffer over flow in memcached.c:server_stats
http://code.google.com/p/memcached/issues/detail?id=27
Is this bug really fixed? In append_ascii_stats of memcached.c, I see this
line:
c->stats.offset += nbytes;
However, nbytes is the return value from snprintf. The man page states
that:
"... then the return value is the number of characters (excluding the
terminating null byte) which would have been written to the final string"
So after one call to append_ascii_stats, c->stats.offset can be greater
than c->stats.size. On a subsequent call, variables remaining and room
will be negative, but since snprintf takes an unsigned size_t, for the size
parameter, it will risk overflow.
Propose that c->stats.offset += nbytes become c->stats.offset =
min(c->stats.offset + nbytes, c->stats.size), and that the function have an
early return: if (c->stats.offset == c->stats.size) return;
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
---
You received this message because you are subscribed to the Google Groups "memcached" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
