diff options
author | Paul Furtado <pfurtado@hubspot.com> | 2018-05-30 15:26:06 -0400 |
---|---|---|
committer | dormando <dormando@rydia.net> | 2018-06-04 14:56:58 -0700 |
commit | ced9e1730cb6bb3beece9b22e7bd5cb2d05ed2c8 (patch) | |
tree | e226ad4285e0c014a85912c0020dc135c63b4abb /memcached.h | |
parent | 276ec8b2d30180c96cca2657abbceed318ac7878 (diff) | |
download | memcached-ced9e1730cb6bb3beece9b22e7bd5cb2d05ed2c8.tar.gz |
Fix segfault: Prevent calling sasl_server_step before sasl_server_start
If sasl_server_step is called on a sasl_conn which has not had
sasl_server_start called on it, it will segfault from reading
uninitialized memory.
Memcached currently calls sasl_server_start when the client sends
the PROTOCOL_BINARY_CMD_SASL_AUTH command and sasl_server_step when
the client sends the PROTOCOL_BINARY_CMD_SASL_STEP command. So if the
client sends SASL_STEP before SASL_AUTH, the server segfaults.
For well-behaved clients, this case never happens; but for the
java-memcached-client, when configured with an incorrect password,
it happens very frequently. This is likely because the client handles
auth on a background thread and the socket may be swapped out in the
middle of authentication. You can see that code here:
https://github.com/dustin/java-memcached-client/blob/master/src/main/java/net/spy/memcached/auth/AuthThread.java
Diffstat (limited to 'memcached.h')
-rw-r--r-- | memcached.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/memcached.h b/memcached.h index adee4a2..017eb56 100644 --- a/memcached.h +++ b/memcached.h @@ -555,6 +555,7 @@ typedef struct _io_wrap { struct conn { int sfd; sasl_conn_t *sasl_conn; + bool sasl_started; bool authenticated; enum conn_states state; enum bin_substates substate; |