fix use-after-free for text multigets
(cherry picked from commit 8a06a059d8b0d4c5ecaabf7e348ffdc929c42496)
This commit is contained in:
yanshuai01
openeuler-sync-bot
parent
2e8e1f92e9
commit
002de6bfc9
35
fix-use-after-free-for-text-multigets.patch
Normal file
35
fix-use-after-free-for-text-multigets.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From 7af02b0c875a36c61875a332dda582375014cf44 Mon Sep 17 00:00:00 2001
|
||||
From: dormando <dormando@rydia.net>
|
||||
Date: Tue, 11 Jan 2022 23:46:32 -0800
|
||||
Subject: [PATCH] core: fix use-after-free for text multigets
|
||||
|
||||
Reported in #849 - this fixes copying a read buffer after freeing the
|
||||
original read buffer.
|
||||
|
||||
This didn't matter for years since the cache code didn't touch the
|
||||
buffer, but recently it can reuse the first 8 bytes as a pointer to the
|
||||
internal freelist. Thus in some situations where large reads happen the
|
||||
command can get corrupted, returning an unhelpful "ERROR" to the end
|
||||
user.
|
||||
|
||||
---
|
||||
memcached.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/memcached.c b/memcached.c
|
||||
index 8bbdccd..2b68ca6 100644
|
||||
--- a/memcached.c
|
||||
+++ b/memcached.c
|
||||
@@ -440,8 +440,8 @@ bool rbuf_switch_to_malloc(conn *c) {
|
||||
if (!tmp)
|
||||
return false;
|
||||
|
||||
- do_cache_free(c->thread->rbuf_cache, c->rbuf);
|
||||
memcpy(tmp, c->rcurr, c->rbytes);
|
||||
+ do_cache_free(c->thread->rbuf_cache, c->rbuf);
|
||||
|
||||
c->rcurr = c->rbuf = tmp;
|
||||
c->rsize = size;
|
||||
--
|
||||
2.27.0
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
|
||||
Name: memcached
|
||||
Version: 1.6.12
|
||||
Release: 3
|
||||
Release: 4
|
||||
Epoch: 0
|
||||
Summary: A high-performance, distributed memory object caching system
|
||||
License: GPL-2.0+
|
||||
@ -18,6 +18,7 @@ Source2: memcached.sysconfig
|
||||
|
||||
Patch0001: memcached-unit.patch
|
||||
Patch0002: fix-meta-delete.patch
|
||||
Patch0003: fix-use-after-free-for-text-multigets.patch
|
||||
|
||||
BuildRequires: systemd perl-generators perl(Test::More) perl(Test::Harness)
|
||||
BuildRequires: selinux-policy-devel libevent-devel make gcc
|
||||
@ -64,6 +65,7 @@ optimised for use with this version of memcached.
|
||||
%setup -q -b 1
|
||||
%patch1 -p1 -b .unit
|
||||
%patch2 -p1 -b .delete
|
||||
%patch3 -p1 -b .multigets
|
||||
|
||||
%build
|
||||
%configure \
|
||||
@ -146,6 +148,9 @@ fi
|
||||
%{_mandir}/man1/memcached.1*
|
||||
|
||||
%changelog
|
||||
* Thu Jun 06 2024 yanshuai <yanshuai01@kylinos.cn> - 0:1.6.12-4
|
||||
- core: fix use-after-free for text multigets
|
||||
|
||||
* Fri May 31 2024 yanshuai <yanshuai01@kylinos.cn> - 0:1.6.12-3
|
||||
- meta: fix meta delete
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user