oss-sec mailing list archives
Re: CVE request -- memcached
From: Josh Bressers <bressers () redhat com>
Date: Thu, 8 Apr 2010 16:20:59 -0400 (EDT)
Please use CVE-2010-1152 for this. Thanks. -- JB ----- "Jamie Strandboge" <jamie () canonical com> wrote:
FYI, this issue was recently pointed out to me: http://code.google.com/p/memcached/issues/detail?id=102 A remote attacker who is allowed to connect to memcached can crash the server by sending bad input. I've not investigated this to see if it is more than a DoS. People wanting to fix this may want to more thoroughly look at the patch[1]. After a cursory glance at it, I'm not sure it is enough: 1. it uses: if (strcmp(ptr, "get ") && strcmp(ptr, "gets ")) { Why not use something like (*totally* untested): if (strncmp(ptr, "get ", 5) && strncmp(ptr, "gets ", 5)) { just in case ptr is not NULL terminated? I haven't checked if this is an actual issue, but it certainly wouldn't hurt. '5' should probably be changed to something more reasonable. 2. As I read the patch, couldn't an attacker send crafted input after the 4 reallocs and then achieve the same thing (a DoS)?. Perhaps this isn't a problem since it limits the object size to 1MB (according to the FAQ [2]). [1]http://github.com/memcached/memcached/commit/75cc83685e103bc8ba380a57468c8f04413033f9 [2]http://code.google.com/p/memcached/wiki/FAQ -- Jamie Strandboge | http://www.canonical.com
Current thread:
- CVE request -- memcached Jamie Strandboge (Apr 08)
- Re: CVE request -- memcached Jamie Strandboge (Apr 08)
- Re: CVE request -- memcached Josh Bressers (Apr 08)