Permalink
Browse files

CVE-2018-6340 Fix buffer overread

Summary:
snprintf() returns the number of would be written bytes if the buffer had
enough size, letting the original code to construct output string from
arbitrary data on the stack.

Fix this by properly assembling the String without trying to arbitrarily
limiting the length to 30 bytes.

Reviewed By: ottoni

Differential Revision: D13509547

fbshipit-source-id: aa401b83d356f5b261433c4b16d777948ba7f9b4
  • Loading branch information...
jano authored and hhvm-bot committed Dec 18, 2018
1 parent 3c5338b commit 4bff3bfbe90d10451e4638c2118d1ad1117bb3e3
Showing with 7 additions and 6 deletions.
  1. +7 −6 hphp/runtime/ext/memcache/ext_memcache.cpp
@@ -700,9 +700,6 @@ static Array HHVM_METHOD(Memcache, getextendedstats,

for (int server_id = 0; server_id < server_count; server_id++) {
memcached_stat_st *stat;
char stats_key[30] = {0};
size_t key_len;

LMCD_SERVER_POSITION_INSTANCE_TYPE instance =
memcached_server_instance_by_position(&data->m_memcache, server_id);
const char *hostname = LMCD_SERVER_HOSTNAME(instance);
@@ -715,9 +712,13 @@ static Array HHVM_METHOD(Memcache, getextendedstats,
continue;
}

key_len = snprintf(stats_key, sizeof(stats_key), "%s:%d", hostname, port);

return_val.set(String(stats_key, key_len, CopyString), server_stats);
auto const port_str = folly::to<std::string>(port);
auto const key_len = strlen(hostname) + 1 + port_str.length();
auto key = String(key_len, ReserveString);
key += hostname;
key += ":";
key += port_str;
return_val.set(key, server_stats);
}

free(stats);

0 comments on commit 4bff3bf

Please sign in to comment.