Fix security issue reported by someone.1.6.2

someone will get their name attributed for future issues if they bother following procedure.
author: dormando <dormando@rydia.net> 2020-03-23 10:16:33 -0700
committer: dormando <dormando@rydia.net> 2020-03-23 10:16:33 -0700
commit: 02c6a2b62ddcb6fa4569a591d3461a156a636305 (patch)
tree: 293db48919f0b6839ec83afd8090276180edbe69
parent: aac7d69207fa08c0114625fbfb35a11d88a0cace (diff)
download: memcached-1.6.2.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/memcached.c b/memcached.c
index b9ce8b1..2592b3f 100644
--- a/memcached.c
+++ b/memcached.c
@@ -6175,8 +6175,9 @@ static int try_read_command_binary(conn *c) {
         // want to refactor a ton of code either. Header is only ever used out
         // of c->binary_header, but the extlen stuff is used for the latter
         // bytes. Just wastes 24 bytes on the stack this way.
-        char extbuf[sizeof(c->binary_header) + BIN_MAX_EXTLEN];
-        memcpy(extbuf + sizeof(c->binary_header), c->rcurr + sizeof(c->binary_header), extlen);
+        char extbuf[sizeof(c->binary_header) + BIN_MAX_EXTLEN+1];
+        memcpy(extbuf + sizeof(c->binary_header), c->rcurr + sizeof(c->binary_header),
+                extlen > BIN_MAX_EXTLEN ? BIN_MAX_EXTLEN : extlen);
         c->rbytes -= sizeof(c->binary_header) + extlen + keylen;
         c->rcurr += sizeof(c->binary_header) + extlen + keylen;
author	dormando <dormando@rydia.net>	2020-03-23 10:16:33 -0700
committer	dormando <dormando@rydia.net>	2020-03-23 10:16:33 -0700
commit	02c6a2b62ddcb6fa4569a591d3461a156a636305 (patch)
tree	293db48919f0b6839ec83afd8090276180edbe69
parent	aac7d69207fa08c0114625fbfb35a11d88a0cace (diff)
download	memcached-1.6.2.tar.gz