Headline
CVE-2023-46852: proxy: fix buffer overflow with multiget syntax · memcached/memcached@76a6c36
In Memcached before 1.6.22, a buffer overflow exists when processing multiget requests in proxy mode, if there are many spaces after the “get” substring.
Commit
Permalink
Browse files
Browse the repository at this point in the history
proxy: fix buffer overflow with multiget syntax
“get[200 spaces]key1 key2\r\n” would overflow a temporary buffer used to process multiget syntax.
To exploit this you must first pass the check in try_read_command_proxy:
- The request before the first newline must be less than 1024 bytes.
- If it is more than 1024 bytes there is a limit of 100 spaces.
- The key length is still checked at 250 bytes
- Meaning you have up to 772 spaces and then the key to create stack corruption.
So the amount of data you can shove in here isn’t unlimited.
The fix caps the amount of data pre-key to be reasonable. Something like GAT needs space for a 32bit TTL which is at most going to be 15 bytes + spaces, so we limit it to 20 bytes.
I hate hate hate hate hate the multiget syntax. hate it.
- Loading branch information
Related news
Ubuntu Security Notice 6476-1 - It was discovered that Memcached incorrectly handled certain multiget requests in proxy mode. A remote attacker could use this issue to cause Memcached to crash, resulting in a denial of service, or possibly execute arbitrary code. It was discovered that Memcached incorrectly handled certain proxy requests in proxy mode. A remote attacker could use this issue to cause Memcached to crash, resulting in a denial of service, or possibly execute arbitrary code.