Comment #22 on issue 192 by [email protected]: Crash when sending
specially crafted packet
http://code.google.com/p/memcached/issues/detail?id=192
The attached patches to this issue hide the problem but they do not solve
it.
This is an unsigned to signed integer conversion problem.
Inside the following functions:
process_bin_sasl_auth
process_bin_complete_sasl_auth
process_bin_update
process_bin_append_prepend
there is the following or a similar statement:
int vlen = c->binary_header.request.bodylen - nkey;
The c->binary_header.request.bodylen is an unsigned int which if it is
bigger
than the INT_MAX and converted to a signed int will result to a negative
number
causing segfaults to memcached.
The c->binary_header.request.bodylen is the request body length defined by
the client request. Random bytes sent to the memcached may interpeted
as a normal request with huge body data.
There are 2-3 different ways to solve this problem.
This patch just add a check and reject requests which report huge body data.
Regards,
Christos
Attachments:
memcached-1.4.15-issue-192-chtsanti-t1.patch 1.8 KB
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
---
You received this message because you are subscribed to the Google Groups "memcached" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
