diff options
Diffstat (limited to 'main/memcached/CVE-2011-4971.patch')
| -rw-r--r-- | main/memcached/CVE-2011-4971.patch | 47 |
1 files changed, 0 insertions, 47 deletions
diff --git a/main/memcached/CVE-2011-4971.patch b/main/memcached/CVE-2011-4971.patch deleted file mode 100644 index fc02be8686..0000000000 --- a/main/memcached/CVE-2011-4971.patch +++ /dev/null @@ -1,47 +0,0 @@ -Issue 192: Crash when sending specially crafted packet -Author: Christos Tsantilas <christos@chtsanti.net> - -This is an unsigned to signed integers conversion problem. -Inside the following functions: - process_bin_sasl_auth - process_bin_complete_sasl_auth - process_bin_update - process_bin_append_prepend - -there is the following or a similar statement: - int vlen = c->binary_header.request.bodylen - nkey; - -The c->binary_header.request.bodylen is an unsigned int which if it is bigger -than the INT_MAX and converted to a signed int will result to a negative number -causing segfaults to memcached. -The c->binary_header.request.bodylen is the request body length defined by -the client request. Random bytes sent to the memcached may interpeted -as a normal request with huge body data. -This patch just add a check and reject requests which report huge body data. - - ---- memcached-1.4.15.orig/memcached.c 2012-09-03 21:23:23.000000000 +0300 -+++ memcached-1.4.15/memcached.c 2013-11-26 14:22:28.206370577 +0200 -@@ -3446,6 +3446,22 @@ - return -1; - } - -+ /* -+ issue #192: -+ c->binary_header.request.bodylen is an unsigned int but it is -+ used in many places as a signed int. -+ Add a check here to avoid bad integer type conversions which -+ may cause crashes to memcached. -+ */ -+ if (c->binary_header.request.bodylen > INT_MAX) { -+ if (settings.verbose) { -+ fprintf(stderr, "Invalid request body length: %u\n", -+ c->binary_header.request.bodylen); -+ } -+ conn_set_state(c, conn_closing); -+ return -1; -+ } -+ - c->msgcurr = 0; - c->msgused = 0; - c->iovused = 0; |