You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
"get[200 spaces]key1 key2\r\n" would overflow a temporary buffer used to
process multiget syntax.
To exploit this you must first pass the check in try_read_command_proxy:
- The request before the first newline must be less than 1024 bytes.
- If it is more than 1024 bytes there is a limit of 100 spaces.
- The key length is still checked at 250 bytes
- Meaning you have up to 772 spaces and then the key to create stack
corruption.
So the amount of data you can shove in here isn't unlimited.
The fix caps the amount of data pre-key to be reasonable. Something like
GAT needs space for a 32bit TTL which is at most going to be 15 bytes +
spaces, so we limit it to 20 bytes.
I hate hate hate hate hate the multiget syntax. hate it.
0 commit comments