Blame SOURCES/memcached-CVE-2011-4971.patch
|
 |
e2a29e |
commit 6695ccbc525c36d693aaa3e8337b36aa0c784424
|
|
|
e2a29e |
Author: Huzaifa Sidhpurwala <huzaifas@redhat.com>
|
|
|
e2a29e |
Date: Sun Dec 8 17:33:15 2013 -0800
|
|
|
e2a29e |
|
|
|
e2a29e |
Fix segfault on specially crafted packet.
|
|
|
e2a29e |
|
|
|
e2a29e |
diff --git a/memcached.c b/memcached.c
|
|
|
e2a29e |
index b6ed7c9..f3b9939 100644
|
|
|
e2a29e |
--- a/memcached.c
|
|
|
e2a29e |
+++ b/memcached.c
|
|
|
e2a29e |
@@ -3872,6 +3872,16 @@ static void drive_machine(conn *c) {
|
|
|
e2a29e |
complete_nread(c);
|
|
|
e2a29e |
break;
|
|
|
e2a29e |
}
|
|
|
e2a29e |
+
|
|
|
e2a29e |
+ /* Check if rbytes < 0, to prevent crash */
|
|
|
e2a29e |
+ if (c->rlbytes < 0) {
|
|
|
e2a29e |
+ if (settings.verbose) {
|
|
|
e2a29e |
+ fprintf(stderr, "Invalid rlbytes to read: len %d\n", c->rlbytes);
|
|
|
e2a29e |
+ }
|
|
|
e2a29e |
+ conn_set_state(c, conn_closing);
|
|
|
e2a29e |
+ break;
|
|
|
e2a29e |
+ }
|
|
|
e2a29e |
+
|
|
|
e2a29e |
/* first check if we have leftovers in the conn_read buffer */
|
|
|
e2a29e |
if (c->rbytes > 0) {
|
|
|
e2a29e |
int tocopy = c->rbytes > c->rlbytes ? c->rlbytes : c->rbytes;
|
|
|
e2a29e |
diff --git a/t/issue_192.t b/t/issue_192.t
|
|
|
e2a29e |
new file mode 100644
|
|
|
e2a29e |
index 0000000..c58e206
|
|
|
e2a29e |
--- /dev/null
|
|
|
e2a29e |
+++ b/t/issue_192.t
|
|
|
e2a29e |
@@ -0,0 +1,20 @@
|
|
|
e2a29e |
+#!/usr/bin/perl
|
|
|
e2a29e |
+
|
|
|
e2a29e |
+use strict;
|
|
|
e2a29e |
+use Test::More tests => 2;
|
|
|
e2a29e |
+use FindBin qw($Bin);
|
|
|
e2a29e |
+use lib "$Bin/lib";
|
|
|
e2a29e |
+use MemcachedTest;
|
|
|
e2a29e |
+
|
|
|
e2a29e |
+my $server = new_memcached();
|
|
|
e2a29e |
+my $sock = $server->sock;
|
|
|
e2a29e |
+
|
|
|
e2a29e |
+ok($server->new_sock, "opened new socket");
|
|
|
e2a29e |
+
|
|
|
e2a29e |
+print $sock "\x80\x12\x00\x01\x08\x00\x00\x00\xff\xff\xff\xe8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xff\x01\x00\x00\x00\x00\x00\x00\x00\x00\x000\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
|
|
|
e2a29e |
+
|
|
|
e2a29e |
+sleep 0.5;
|
|
|
e2a29e |
+ok($server->new_sock, "failed to open new socket");
|
|
|
e2a29e |
+
|
|
|
e2a29e |
+
|
|
|
e2a29e |
+
|