36 lines
1.0 KiB
Diff
36 lines
1.0 KiB
Diff
From 7af02b0c875a36c61875a332dda582375014cf44 Mon Sep 17 00:00:00 2001
|
|
From: dormando <dormando@rydia.net>
|
|
Date: Tue, 11 Jan 2022 23:46:32 -0800
|
|
Subject: [PATCH] core: fix use-after-free for text multigets
|
|
|
|
Reported in #849 - this fixes copying a read buffer after freeing the
|
|
original read buffer.
|
|
|
|
This didn't matter for years since the cache code didn't touch the
|
|
buffer, but recently it can reuse the first 8 bytes as a pointer to the
|
|
internal freelist. Thus in some situations where large reads happen the
|
|
command can get corrupted, returning an unhelpful "ERROR" to the end
|
|
user.
|
|
|
|
---
|
|
memcached.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/memcached.c b/memcached.c
|
|
index 8bbdccd..2b68ca6 100644
|
|
--- a/memcached.c
|
|
+++ b/memcached.c
|
|
@@ -440,8 +440,8 @@ bool rbuf_switch_to_malloc(conn *c) {
|
|
if (!tmp)
|
|
return false;
|
|
|
|
- do_cache_free(c->thread->rbuf_cache, c->rbuf);
|
|
memcpy(tmp, c->rcurr, c->rbytes);
|
|
+ do_cache_free(c->thread->rbuf_cache, c->rbuf);
|
|
|
|
c->rcurr = c->rbuf = tmp;
|
|
c->rsize = size;
|
|
--
|
|
2.27.0
|
|
|