Memcached segfault on increment
Cosimo Streppone
cosimo at opera.com
Thu Jun 19 09:52:04 UTC 2008
Janusz Dziemidowicz wrote:
> 2008/6/18 Dustin Sallings <dustin at spy.net>:
>> Please try the latest version of my tree and let me know if you have any
>> more problems. I have been unable to crash memcached since this morning.
>>
>> http://github.com/dustin/memcached
>> In particular, Tomash's fix:
>> http://github.com/dustin/memcached/commit/74d5235 made my fuzzer happy. I
>> ran about 20 minutes of fuzz plus the case that broke consistently for me
>> many times and saw no errors.
>
> I can confirm that this particular patch fixes the problem for me.
> Without it, your fuzzer was crashing memcached on second run with
> exactly the same stack trace from Valgrind as I've posted earlier.
> With this patch, I was too unable to crash it. Thanks a lot:)
Can the same patch be relevant also in out_string() ?
At this point I don't really understand the code enough.
Just wondering.
750 if ((len + 2) > c->wsize) {
751 /* ought to be always enough. just fail for simplicity */
752 str = "SERVER_ERROR output line too long";
753 len = strlen(str);
754 }
755
756 memcpy(c->wbuf, str, len);
757 memcpy(c->wbuf + len, "\r\n", 3); # *** <-- HERE ?
758 c->wbytes = len + 2;
759 c->wcurr = c->wbuf;
Or just look for ', 3' :)
--
Cosimo
More information about the memcached
mailing list