Skip to content
Permalink
Browse files Browse the repository at this point in the history
CVE-2018-6340 Fix buffer overread
Summary:
snprintf() returns the number of would be written bytes if the buffer had
enough size, letting the original code to construct output string from
arbitrary data on the stack.

Fix this by properly assembling the String without trying to arbitrarily
limiting the length to 30 bytes.

Reviewed By: ottoni

Differential Revision: D13509547

fbshipit-source-id: aa401b83d356f5b261433c4b16d777948ba7f9b4
  • Loading branch information
jano authored and hhvm-bot committed Dec 18, 2018
1 parent 3c5338b commit 4bff3bf
Showing 1 changed file with 7 additions and 6 deletions.
13 changes: 7 additions & 6 deletions hphp/runtime/ext/memcache/ext_memcache.cpp
Expand Up @@ -700,9 +700,6 @@ static Array HHVM_METHOD(Memcache, getextendedstats,

for (int server_id = 0; server_id < server_count; server_id++) {
memcached_stat_st *stat;
char stats_key[30] = {0};
size_t key_len;

LMCD_SERVER_POSITION_INSTANCE_TYPE instance =
memcached_server_instance_by_position(&data->m_memcache, server_id);
const char *hostname = LMCD_SERVER_HOSTNAME(instance);
Expand All @@ -715,9 +712,13 @@ static Array HHVM_METHOD(Memcache, getextendedstats,
continue;
}

key_len = snprintf(stats_key, sizeof(stats_key), "%s:%d", hostname, port);

return_val.set(String(stats_key, key_len, CopyString), server_stats);
auto const port_str = folly::to<std::string>(port);
auto const key_len = strlen(hostname) + 1 + port_str.length();
auto key = String(key_len, ReserveString);
key += hostname;
key += ":";
key += port_str;
return_val.set(key, server_stats);
}

free(stats);
Expand Down

0 comments on commit 4bff3bf

Please sign in to comment.