[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request -- memcached
From:       Josh Bressers <bressers () redhat ! com>
Date:       2010-04-08 20:20:59
Message-ID: 743166559.326141270758059951.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Please use CVE-2010-1152 for this.

Thanks.

-- 
    JB


----- "Jamie Strandboge" <jamie@canonical.com> wrote:

> FYI, this issue was recently pointed out to me:
> http://code.google.com/p/memcached/issues/detail?id=102
> 
> A remote attacker who is allowed to connect to memcached can crash
> the
> server by sending bad input. I've not investigated this to see if it
> is
> more than a DoS.
> 
> People wanting to fix this may want to more thoroughly look at the
> patch[1]. After a cursory glance at it, I'm not sure it is enough:
> 1. it uses:
>   if (strcmp(ptr, "get ") && strcmp(ptr, "gets ")) {
> 
> Why not use something like (*totally* untested):
>   if (strncmp(ptr, "get ", 5) && strncmp(ptr, "gets ", 5)) {
> 
> just in case ptr is not NULL terminated? I haven't checked if this is
> an
> actual issue, but it certainly wouldn't hurt. '5' should probably be
> changed to something more reasonable.
> 
> 2. As I read the patch, couldn't an attacker send crafted input after
> the 4 reallocs and then achieve the same thing (a DoS)?. Perhaps this
> isn't a problem since it limits the object size to 1MB (according to
> the
> FAQ [2]).
> 
> 
> [1]http://github.com/memcached/memcached/commit/75cc83685e103bc8ba380a57468c8f04413033f9
> [2]http://code.google.com/p/memcached/wiki/FAQ
> 
> -- 
> Jamie Strandboge             | http://www.canonical.com
[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic