aboutsummaryrefslogtreecommitdiffstats
path: root/main/memcached/CVE-2011-4971.patch
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-12-03 12:28:12 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-12-03 12:28:49 +0000
commitdeded5f6427a47a48eac3311151c147dab49cdd6 (patch)
treec6e916624bd9f60abd4ab0317d88209473b68681 /main/memcached/CVE-2011-4971.patch
parent8d663144da2b4cac4c6312be9111b938df121d75 (diff)
downloadaports-deded5f6427a47a48eac3311151c147dab49cdd6.tar.bz2
aports-deded5f6427a47a48eac3311151c147dab49cdd6.tar.xz
main/memcached: security workaround for CVE-2011-4971
ref #2451
Diffstat (limited to 'main/memcached/CVE-2011-4971.patch')
-rw-r--r--main/memcached/CVE-2011-4971.patch47
1 files changed, 47 insertions, 0 deletions
diff --git a/main/memcached/CVE-2011-4971.patch b/main/memcached/CVE-2011-4971.patch
new file mode 100644
index 0000000000..fc02be8686
--- /dev/null
+++ b/main/memcached/CVE-2011-4971.patch
@@ -0,0 +1,47 @@
+Issue 192: Crash when sending specially crafted packet
+Author: Christos Tsantilas <christos@chtsanti.net>
+
+This is an unsigned to signed integers conversion problem.
+Inside the following functions:
+ process_bin_sasl_auth
+ process_bin_complete_sasl_auth
+ process_bin_update
+ process_bin_append_prepend
+
+there is the following or a similar statement:
+ int vlen = c->binary_header.request.bodylen - nkey;
+
+The c->binary_header.request.bodylen is an unsigned int which if it is bigger
+than the INT_MAX and converted to a signed int will result to a negative number
+causing segfaults to memcached.
+The c->binary_header.request.bodylen is the request body length defined by
+the client request. Random bytes sent to the memcached may interpeted
+as a normal request with huge body data.
+This patch just add a check and reject requests which report huge body data.
+
+
+--- memcached-1.4.15.orig/memcached.c 2012-09-03 21:23:23.000000000 +0300
++++ memcached-1.4.15/memcached.c 2013-11-26 14:22:28.206370577 +0200
+@@ -3446,6 +3446,22 @@
+ return -1;
+ }
+
++ /*
++ issue #192:
++ c->binary_header.request.bodylen is an unsigned int but it is
++ used in many places as a signed int.
++ Add a check here to avoid bad integer type conversions which
++ may cause crashes to memcached.
++ */
++ if (c->binary_header.request.bodylen > INT_MAX) {
++ if (settings.verbose) {
++ fprintf(stderr, "Invalid request body length: %u\n",
++ c->binary_header.request.bodylen);
++ }
++ conn_set_state(c, conn_closing);
++ return -1;
++ }
++
+ c->msgcurr = 0;
+ c->msgused = 0;
+ c->iovused = 0;