Blame SOURCES/memcached-CVE-2013-0179_7290_7291.patch

e2a29e
commit 0f605245cf3f37c2efe4e225237ad17256ea2a34
e2a29e
Author: Jeremy Sowden <jeremy.sowden@gmail.com>
e2a29e
Date:   Wed Jan 9 15:43:41 2013 +0000
e2a29e
e2a29e
    Fix buffer-overrun when logging key to delete in binary protocol.
e2a29e
e2a29e
diff --git a/memcached.c b/memcached.c
e2a29e
index 3a79fba..f7a140c 100644
e2a29e
--- a/memcached.c
e2a29e
+++ b/memcached.c
e2a29e
@@ -2190,7 +2190,12 @@ static void process_bin_delete(conn *c) {
e2a29e
     assert(c != NULL);
e2a29e
 
e2a29e
     if (settings.verbose > 1) {
e2a29e
-        fprintf(stderr, "Deleting %s\n", key);
e2a29e
+        int ii;
e2a29e
+        fprintf(stderr, "Deleting ");
e2a29e
+        for (ii = 0; ii < nkey; ++ii) {
e2a29e
+            fprintf(stderr, "%c", key[ii]);
e2a29e
+        }
e2a29e
+        fprintf(stderr, "\n");
e2a29e
     }
e2a29e
 
e2a29e
     if (settings.detail_enabled) {
e2a29e
commit fbe823d9a61b5149cd6e3b5e17bd28dd3b8dd760
e2a29e
Author: dormando <dormando@rydia.net>
e2a29e
Date:   Fri Dec 20 13:25:43 2013 -0800
e2a29e
e2a29e
    fix potential unbounded key prints
e2a29e
    
e2a29e
    item key isn't necessarily null terminated. user submitted a patch for one,
e2a29e
    this clears two more.
e2a29e
e2a29e
diff --git a/items.c b/items.c
e2a29e
index d70400c..65b1a24 100644
e2a29e
--- a/items.c
e2a29e
+++ b/items.c
e2a29e
@@ -537,12 +537,16 @@ item *do_item_get(const char *key, const size_t nkey, const uint32_t hv) {
e2a29e
     int was_found = 0;
e2a29e
 
e2a29e
     if (settings.verbose > 2) {
e2a29e
+        int ii;
e2a29e
         if (it == NULL) {
e2a29e
-            fprintf(stderr, "> NOT FOUND %s", key);
e2a29e
+            fprintf(stderr, "> NOT FOUND ");
e2a29e
         } else {
e2a29e
-            fprintf(stderr, "> FOUND KEY %s", ITEM_key(it));
e2a29e
+            fprintf(stderr, "> FOUND KEY ");
e2a29e
             was_found++;
e2a29e
         }
e2a29e
+        for (ii = 0; ii < nkey; ++ii) {
e2a29e
+            fprintf(stderr, "%c", key[ii]);
e2a29e
+        }
e2a29e
     }
e2a29e
 
e2a29e
     if (it != NULL) {
e2a29e
diff --git a/memcached.c b/memcached.c
e2a29e
index f7a140c..6486ff2 100644
e2a29e
--- a/memcached.c
e2a29e
+++ b/memcached.c
e2a29e
@@ -2856,8 +2856,14 @@ static inline void process_get_command(conn *c, token_t *tokens, size_t ntokens,
e2a29e
                 }
e2a29e
 
e2a29e
 
e2a29e
-                if (settings.verbose > 1)
e2a29e
-                    fprintf(stderr, ">%d sending key %s\n", c->sfd, ITEM_key(it));
e2a29e
+                if (settings.verbose > 1) {
e2a29e
+                    int ii;
e2a29e
+                    fprintf(stderr, ">%d sending key ", c->sfd);
e2a29e
+                    for (ii = 0; ii < it->nkey; ++ii) {
e2a29e
+                        fprintf(stderr, "%c", key[ii]);
e2a29e
+                    }
e2a29e
+                    fprintf(stderr, "\n");
e2a29e
+                }
e2a29e
 
e2a29e
                 /* item_get() has incremented it->refcount for us */
e2a29e
                 pthread_mutex_lock(&c->thread->stats.mutex);