diff options
author | dormando <dormando@rydia.net> | 2022-01-11 23:46:32 -0800 |
---|---|---|
committer | dormando <dormando@rydia.net> | 2022-01-11 23:46:32 -0800 |
commit | 7af02b0c875a36c61875a332dda582375014cf44 (patch) | |
tree | 6bac39554c146f74e24ffb788c8c69cf254b19f2 | |
parent | 7b4160c4062b208a0c975cf61aa41ee69ccac01d (diff) | |
download | memcached-7af02b0c875a36c61875a332dda582375014cf44.tar.gz |
core: fix use-after-free for text multigets
Reported in #849 - this fixes copying a read buffer after freeing the
original read buffer.
This didn't matter for years since the cache code didn't touch the
buffer, but recently it can reuse the first 8 bytes as a pointer to the
internal freelist. Thus in some situations where large reads happen the
command can get corrupted, returning an unhelpful "ERROR" to the end
user.
-rw-r--r-- | memcached.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/memcached.c b/memcached.c index af9583c..e111789 100644 --- a/memcached.c +++ b/memcached.c @@ -440,8 +440,8 @@ bool rbuf_switch_to_malloc(conn *c) { if (!tmp) return false; - do_cache_free(c->thread->rbuf_cache, c->rbuf); memcpy(tmp, c->rcurr, c->rbytes); + do_cache_free(c->thread->rbuf_cache, c->rbuf); c->rcurr = c->rbuf = tmp; c->rsize = size; |