[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] CVE request -- memcached
From: Jamie Strandboge <jamie () canonical ! com>
Date: 2010-04-08 16:57:39
Message-ID: 1270745859.25949.80.camel () severus ! strandboge ! com
[Download RAW message or body]
FYI, this issue was recently pointed out to me:
http://code.google.com/p/memcached/issues/detail?id=102
A remote attacker who is allowed to connect to memcached can crash the
server by sending bad input. I've not investigated this to see if it is
more than a DoS.
People wanting to fix this may want to more thoroughly look at the
patch[1]. After a cursory glance at it, I'm not sure it is enough:
1. it uses:
if (strcmp(ptr, "get ") && strcmp(ptr, "gets ")) {
Why not use something like (*totally* untested):
if (strncmp(ptr, "get ", 5) && strncmp(ptr, "gets ", 5)) {
just in case ptr is not NULL terminated? I haven't checked if this is an
actual issue, but it certainly wouldn't hurt. '5' should probably be
changed to something more reasonable.
2. As I read the patch, couldn't an attacker send crafted input after
the 4 reallocs and then achieve the same thing (a DoS)?. Perhaps this
isn't a problem since it limits the object size to 1MB (according to the
FAQ [2]).
[1]http://github.com/memcached/memcached/commit/75cc83685e103bc8ba380a57468c8f04413033f9
[2]http://code.google.com/p/memcached/wiki/FAQ
--
Jamie Strandboge | http://www.canonical.com
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic