Headline
CVE-2020-22570: NULL pointer reference conduct DoS · Issue #636 · memcached/memcached
Memcached 1.6.0 before 1.6.3 allows remote attackers to cause a denial of service (daemon crash) via a crafted meta command.
memcached maintainer,
I found a NULL pointer reference bug in code of memcached, which could conduct DoS by remote artificial command.
The affected memcached version: >1.6.0.
The bug location is at file: memcached.c, detailed information as the following:
In the function "process_mget_command", the local variable “errstr” is defined as a char*, which is not initialized.
In certain condition, the function “_meta_flag_preparse” is called in "process_mget_command", and the address of “errstr” is the 4th param.
In the function "_meta_flag_preparse", there is chances that the “*errstr” is not initialized while command is “F” or "S".
then, out_errstring->out_string->strlen referencing a NULL pointer, conduct a crash.
BR
Zhibin