|
 |
b0376c |
diff -up memcached-1.4.15/items.c.CVE-2016-8704_8705_8706 memcached-1.4.15/items.c
|
|
|
b0376c |
--- memcached-1.4.15/items.c.CVE-2016-8704_8705_8706 2016-11-07 11:14:13.099196427 +0100
|
|
|
b0376c |
+++ memcached-1.4.15/items.c 2016-11-07 11:14:13.104196443 +0100
|
|
|
b0376c |
@@ -91,6 +91,9 @@ item *do_item_alloc(char *key, const siz
|
|
|
b0376c |
uint8_t nsuffix;
|
|
|
b0376c |
item *it = NULL;
|
|
|
b0376c |
char suffix[40];
|
|
|
b0376c |
+ if (nbytes < 2 || nkey < 0)
|
|
|
b0376c |
+ return 0;
|
|
|
b0376c |
+
|
|
|
b0376c |
size_t ntotal = item_make_header(nkey + 1, flags, nbytes, suffix, &nsuffix);
|
|
|
b0376c |
if (settings.use_cas) {
|
|
|
b0376c |
ntotal += sizeof(uint64_t);
|
|
|
b0376c |
diff -up memcached-1.4.15/memcached.c.CVE-2016-8704_8705_8706 memcached-1.4.15/memcached.c
|
|
|
b0376c |
--- memcached-1.4.15/memcached.c.CVE-2016-8704_8705_8706 2016-11-07 11:14:13.103196439 +0100
|
|
|
b0376c |
+++ memcached-1.4.15/memcached.c 2016-11-07 11:14:13.105196446 +0100
|
|
|
b0376c |
@@ -1790,10 +1790,16 @@ static bool authenticated(conn *c) {
|
|
|
b0376c |
static void dispatch_bin_command(conn *c) {
|
|
|
b0376c |
int protocol_error = 0;
|
|
|
b0376c |
|
|
|
b0376c |
- int extlen = c->binary_header.request.extlen;
|
|
|
b0376c |
- int keylen = c->binary_header.request.keylen;
|
|
|
b0376c |
+ uint8_t extlen = c->binary_header.request.extlen;
|
|
|
b0376c |
+ uint16_t keylen = c->binary_header.request.keylen;
|
|
|
b0376c |
uint32_t bodylen = c->binary_header.request.bodylen;
|
|
|
b0376c |
|
|
|
b0376c |
+ if (keylen > bodylen || keylen + extlen > bodylen) {
|
|
|
b0376c |
+ write_bin_error(c, PROTOCOL_BINARY_RESPONSE_UNKNOWN_COMMAND, 0);
|
|
|
b0376c |
+ c->write_and_go = conn_closing;
|
|
|
b0376c |
+ return;
|
|
|
b0376c |
+ }
|
|
|
b0376c |
+
|
|
|
b0376c |
if (settings.sasl && !authenticated(c)) {
|
|
|
b0376c |
write_bin_error(c, PROTOCOL_BINARY_RESPONSE_AUTH_ERROR, 0);
|
|
|
b0376c |
c->write_and_go = conn_closing;
|