summaryrefslogtreecommitdiffstats
path: root/meta-networking
diff options
context:
space:
mode:
authorAnkur Tyagi <ankur.tyagi85@gmail.com>2025-10-15 16:42:43 +1300
committerAnuj Mittal <anuj.mittal@intel.com>2025-10-30 14:43:35 +0800
commit9795c85f02fb79c73c74b67d968014c21441905a (patch)
treeb9d86f1ea46cb29479b4d993f7b2345e3dbadbb9 /meta-networking
parentbf656aa3259875fe15fe7dcf43b4488b7258855b (diff)
downloadmeta-openembedded-9795c85f02fb79c73c74b67d968014c21441905a.tar.gz
memcached: patch CVE-2023-46852
Details https://nvd.nist.gov/vuln/detail/CVE-2023-46852 Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Diffstat (limited to 'meta-networking')
-rw-r--r--meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch71
-rw-r--r--meta-networking/recipes-support/memcached/memcached_1.6.17.bb1
2 files changed, 72 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch
new file mode 100644
index 0000000000..2bb34af97a
--- /dev/null
+++ b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch
@@ -0,0 +1,71 @@
1From 44d8cfad2500881447cbfe2089bfd80b85ffcd7e Mon Sep 17 00:00:00 2001
2From: dormando <dormando@rydia.net>
3Date: Fri, 28 Jul 2023 10:32:16 -0700
4Subject: [PATCH] CVE-2023-46852
5
6proxy: fix buffer overflow with multiget syntax
7
8"get[200 spaces]key1 key2\r\n" would overflow a temporary buffer used to
9process multiget syntax.
10
11To exploit this you must first pass the check in try_read_command_proxy:
12- The request before the first newline must be less than 1024 bytes.
13- If it is more than 1024 bytes there is a limit of 100 spaces.
14- The key length is still checked at 250 bytes
15- Meaning you have up to 772 spaces and then the key to create stack
16 corruption.
17
18So the amount of data you can shove in here isn't unlimited.
19
20The fix caps the amount of data pre-key to be reasonable. Something like
21GAT needs space for a 32bit TTL which is at most going to be 15 bytes +
22spaces, so we limit it to 20 bytes.
23
24I hate hate hate hate hate the multiget syntax. hate it.
25
26CVE: CVE-2023-46852
27Upstream-Status: Backport [https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767]
28(cherry picked from commit 76a6c363c18cfe7b6a1524ae64202ac9db330767)
29Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
30---
31 proto_proxy.c | 16 ++++++++++++++--
32 1 file changed, 14 insertions(+), 2 deletions(-)
33
34diff --git a/proto_proxy.c b/proto_proxy.c
35index 3ee8c07..9bef26d 100644
36--- a/proto_proxy.c
37+++ b/proto_proxy.c
38@@ -616,6 +616,12 @@ int proxy_run_coroutine(lua_State *Lc, mc_resp *resp, io_pending_proxy_t *p, con
39 return 0;
40 }
41
42+// basically any data before the first key.
43+// max is like 15ish plus spaces. we can be more strict about how many spaces
44+// to expect because any client spamming space is being deliberately stupid
45+// anyway.
46+#define MAX_CMD_PREFIX 20
47+
48 static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool multiget) {
49 assert(c != NULL);
50 LIBEVENT_THREAD *thr = c->thread;
51@@ -687,12 +693,18 @@ static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool mu
52 if (!multiget && pr.cmd_type == CMD_TYPE_GET && pr.has_space) {
53 uint32_t keyoff = pr.tokens[pr.keytoken];
54 while (pr.klen != 0) {
55- char temp[KEY_MAX_LENGTH + 30];
56+ char temp[KEY_MAX_LENGTH + MAX_CMD_PREFIX + 30];
57 char *cur = temp;
58 // Core daemon can abort the entire command if one key is bad, but
59 // we cannot from the proxy. Instead we have to inject errors into
60 // the stream. This should, thankfully, be rare at least.
61- if (pr.klen > KEY_MAX_LENGTH) {
62+ if (pr.tokens[pr.keytoken] > MAX_CMD_PREFIX) {
63+ if (!resp_start(c)) {
64+ conn_set_state(c, conn_closing);
65+ return;
66+ }
67+ proxy_out_errstring(c->resp, PROXY_CLIENT_ERROR, "malformed request");
68+ } else if (pr.klen > KEY_MAX_LENGTH) {
69 if (!resp_start(c)) {
70 conn_set_state(c, conn_closing);
71 return;
diff --git a/meta-networking/recipes-support/memcached/memcached_1.6.17.bb b/meta-networking/recipes-support/memcached/memcached_1.6.17.bb
index 7234f02a13..b4c1847bf6 100644
--- a/meta-networking/recipes-support/memcached/memcached_1.6.17.bb
+++ b/meta-networking/recipes-support/memcached/memcached_1.6.17.bb
@@ -22,6 +22,7 @@ RDEPENDS:${PN} += "perl perl-module-posix perl-module-autoloader \
22SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \ 22SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \
23 file://memcached-add-hugetlbfs-check.patch \ 23 file://memcached-add-hugetlbfs-check.patch \
24 file://0001-Fix-function-protypes.patch \ 24 file://0001-Fix-function-protypes.patch \
25 file://CVE-2023-46852.patch \
25 " 26 "
26SRC_URI[sha256sum] = "2055e373613d8fc21529aff9f0adce3e23b9ce01ba0478d30e7941d9f2bd1224" 27SRC_URI[sha256sum] = "2055e373613d8fc21529aff9f0adce3e23b9ce01ba0478d30e7941d9f2bd1224"
27 28