diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2013-12-03 12:28:12 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-12-03 12:28:49 +0000 |
| commit | deded5f6427a47a48eac3311151c147dab49cdd6 (patch) | |
| tree | c6e916624bd9f60abd4ab0317d88209473b68681 /main/memcached/CVE-2011-4971.patch | |
| parent | 8d663144da2b4cac4c6312be9111b938df121d75 (diff) | |
| download | aports-deded5f6427a47a48eac3311151c147dab49cdd6.tar.bz2 aports-deded5f6427a47a48eac3311151c147dab49cdd6.tar.xz | |
main/memcached: security workaround for CVE-2011-4971
ref #2451
Diffstat (limited to 'main/memcached/CVE-2011-4971.patch')
| -rw-r--r-- | main/memcached/CVE-2011-4971.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/main/memcached/CVE-2011-4971.patch b/main/memcached/CVE-2011-4971.patch new file mode 100644 index 0000000000..fc02be8686 --- /dev/null +++ b/main/memcached/CVE-2011-4971.patch @@ -0,0 +1,47 @@ +Issue 192: Crash when sending specially crafted packet +Author: Christos Tsantilas <christos@chtsanti.net> + +This is an unsigned to signed integers conversion problem. +Inside the following functions: + process_bin_sasl_auth + process_bin_complete_sasl_auth + process_bin_update + process_bin_append_prepend + +there is the following or a similar statement: + int vlen = c->binary_header.request.bodylen - nkey; + +The c->binary_header.request.bodylen is an unsigned int which if it is bigger +than the INT_MAX and converted to a signed int will result to a negative number +causing segfaults to memcached. +The c->binary_header.request.bodylen is the request body length defined by +the client request. Random bytes sent to the memcached may interpeted +as a normal request with huge body data. +This patch just add a check and reject requests which report huge body data. + + +--- memcached-1.4.15.orig/memcached.c 2012-09-03 21:23:23.000000000 +0300 ++++ memcached-1.4.15/memcached.c 2013-11-26 14:22:28.206370577 +0200 +@@ -3446,6 +3446,22 @@ + return -1; + } + ++ /* ++ issue #192: ++ c->binary_header.request.bodylen is an unsigned int but it is ++ used in many places as a signed int. ++ Add a check here to avoid bad integer type conversions which ++ may cause crashes to memcached. ++ */ ++ if (c->binary_header.request.bodylen > INT_MAX) { ++ if (settings.verbose) { ++ fprintf(stderr, "Invalid request body length: %u\n", ++ c->binary_header.request.bodylen); ++ } ++ conn_set_state(c, conn_closing); ++ return -1; ++ } ++ + c->msgcurr = 0; + c->msgused = 0; + c->iovused = 0; |