Issue 192: Crash when sending specially crafted packet
Author: Christos Tsantilas <christos@chtsanti.net>

This is an unsigned to signed integers conversion problem.
Inside the following functions:
 process_bin_sasl_auth
 process_bin_complete_sasl_auth
 process_bin_update
 process_bin_append_prepend

there is the following or a similar statement:
 int vlen = c->binary_header.request.bodylen - nkey;

The c->binary_header.request.bodylen is an unsigned int which if it is bigger
than the INT_MAX and converted to a signed int will result to a negative number
causing segfaults to memcached.
The c->binary_header.request.bodylen is the request body length defined by
the client request. Random bytes sent to the memcached may interpeted
as a normal request with huge body data.
This patch just add a check and reject requests which report huge body data.


--- memcached-1.4.15.orig/memcached.c	2012-09-03 21:23:23.000000000 +0300
+++ memcached-1.4.15/memcached.c	2013-11-26 14:22:28.206370577 +0200
@@ -3446,6 +3446,22 @@
                 return -1;
             }
 
+            /*
+              issue #192:
+              c->binary_header.request.bodylen is an unsigned int but it is
+              used in many places as a signed int.  
+              Add a check here to avoid bad integer type conversions which
+              may cause crashes to memcached.
+            */
+            if (c->binary_header.request.bodylen > INT_MAX) {
+                if (settings.verbose) {
+                    fprintf(stderr, "Invalid request body length:  %u\n",
+                            c->binary_header.request.bodylen);
+                }
+                conn_set_state(c, conn_closing);
+                return -1;
+            }
+
             c->msgcurr = 0;
             c->msgused = 0;
             c->iovused = 0;