diff options
| author | dormando <dormando@rydia.net> | 2009-04-10 23:13:50 -0700 |
|---|---|---|
| committer | dormando <dormando@rydia.net> | 2009-04-10 23:13:50 -0700 |
| commit | ef8381733bcc14dc6a916629d862d31ad4e70795 (patch) | |
| tree | 4e2fc9b9abcbd9b1f81d8931eba4c09affd33f3e | |
| parent | b8a39193ea9b62bd0293f345f07dfcd7e942f82f (diff) | |
| download | memcached-ef8381733bcc14dc6a916629d862d31ad4e70795.tar.gz | |
remove 'stats maps' command.
blah blah something randomized stack reordering.
please don't run memcached in any form where arbitrary commands can be
executed against it by random unknown users. Apparently you can add to the
long list of potential issues, that if someday somewhere sometime someone
maybe finds a buffer overflow in memcached, *and* can execute arbitrary stats
commands against your server, they could utilize both to form VOLTRON.
this *isn't* a critical fix for this next release, but I'm tossing it in for
completeness, since someone has reported the bug.
| -rw-r--r-- | memcached.c | 37 |
1 files changed, 0 insertions, 37 deletions
diff --git a/memcached.c b/memcached.c index e0d1cb4..097588a 100644 --- a/memcached.c +++ b/memcached.c @@ -1137,43 +1137,6 @@ static void process_stat(conn *c, token_t *tokens, const size_t ntokens) { #endif /* HAVE_STRUCT_MALLINFO */ #endif /* HAVE_MALLOC_H */ -#if !defined(WIN32) || !defined(__APPLE__) - if (strcmp(subcommand, "maps") == 0) { - char *wbuf; - int wsize = 8192; /* should be enough */ - int fd; - int res; - - if ((wbuf = (char *)malloc(wsize)) == NULL) { - out_string(c, "SERVER_ERROR out of memory writing stats maps"); - return; - } - - fd = open("/proc/self/maps", O_RDONLY); - if (fd == -1) { - out_string(c, "SERVER_ERROR cannot open the maps file"); - free(wbuf); - return; - } - - res = read(fd, wbuf, wsize - 6); /* 6 = END\r\n\0 */ - if (res == wsize - 6) { - out_string(c, "SERVER_ERROR buffer overflow"); - free(wbuf); close(fd); - return; - } - if (res == 0 || res == -1) { - out_string(c, "SERVER_ERROR can't read the maps file"); - free(wbuf); close(fd); - return; - } - memcpy(wbuf + res, "END\r\n", 5); - write_and_free(c, wbuf, res + 5); - close(fd); - return; - } -#endif - if (strcmp(subcommand, "cachedump") == 0) { char *buf; |