blob: fc02be8686c23452d8ff41d64523b8055f217f89 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
Issue 192: Crash when sending specially crafted packet
Author: Christos Tsantilas <christos@chtsanti.net>
This is an unsigned to signed integers conversion problem.
Inside the following functions:
process_bin_sasl_auth
process_bin_complete_sasl_auth
process_bin_update
process_bin_append_prepend
there is the following or a similar statement:
int vlen = c->binary_header.request.bodylen - nkey;
The c->binary_header.request.bodylen is an unsigned int which if it is bigger
than the INT_MAX and converted to a signed int will result to a negative number
causing segfaults to memcached.
The c->binary_header.request.bodylen is the request body length defined by
the client request. Random bytes sent to the memcached may interpeted
as a normal request with huge body data.
This patch just add a check and reject requests which report huge body data.
--- memcached-1.4.15.orig/memcached.c 2012-09-03 21:23:23.000000000 +0300
+++ memcached-1.4.15/memcached.c 2013-11-26 14:22:28.206370577 +0200
@@ -3446,6 +3446,22 @@
return -1;
}
+ /*
+ issue #192:
+ c->binary_header.request.bodylen is an unsigned int but it is
+ used in many places as a signed int.
+ Add a check here to avoid bad integer type conversions which
+ may cause crashes to memcached.
+ */
+ if (c->binary_header.request.bodylen > INT_MAX) {
+ if (settings.verbose) {
+ fprintf(stderr, "Invalid request body length: %u\n",
+ c->binary_header.request.bodylen);
+ }
+ conn_set_state(c, conn_closing);
+ return -1;
+ }
+
c->msgcurr = 0;
c->msgused = 0;
c->iovused = 0;
|
