diff options
Diffstat (limited to 'main/memcached/CVE-2011-4971.patch')
| -rw-r--r-- | main/memcached/CVE-2011-4971.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/main/memcached/CVE-2011-4971.patch b/main/memcached/CVE-2011-4971.patch new file mode 100644 index 0000000000..fc02be8686 --- /dev/null +++ b/main/memcached/CVE-2011-4971.patch @@ -0,0 +1,47 @@ +Issue 192: Crash when sending specially crafted packet +Author: Christos Tsantilas <christos@chtsanti.net> + +This is an unsigned to signed integers conversion problem. +Inside the following functions: + process_bin_sasl_auth + process_bin_complete_sasl_auth + process_bin_update + process_bin_append_prepend + +there is the following or a similar statement: + int vlen = c->binary_header.request.bodylen - nkey; + +The c->binary_header.request.bodylen is an unsigned int which if it is bigger +than the INT_MAX and converted to a signed int will result to a negative number +causing segfaults to memcached. +The c->binary_header.request.bodylen is the request body length defined by +the client request. Random bytes sent to the memcached may interpeted +as a normal request with huge body data. +This patch just add a check and reject requests which report huge body data. + + +--- memcached-1.4.15.orig/memcached.c 2012-09-03 21:23:23.000000000 +0300 ++++ memcached-1.4.15/memcached.c 2013-11-26 14:22:28.206370577 +0200 +@@ -3446,6 +3446,22 @@ + return -1; + } + ++ /* ++ issue #192: ++ c->binary_header.request.bodylen is an unsigned int but it is ++ used in many places as a signed int. ++ Add a check here to avoid bad integer type conversions which ++ may cause crashes to memcached. ++ */ ++ if (c->binary_header.request.bodylen > INT_MAX) { ++ if (settings.verbose) { ++ fprintf(stderr, "Invalid request body length: %u\n", ++ c->binary_header.request.bodylen); ++ } ++ conn_set_state(c, conn_closing); ++ return -1; ++ } ++ + c->msgcurr = 0; + c->msgused = 0; + c->iovused = 0; |