Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
proxy: fix buffer overflow with multiget syntax
"get[200 spaces]key1 key2\r\n" would overflow a temporary buffer used to process multiget syntax. To exploit this you must first pass the check in try_read_command_proxy: - The request before the first newline must be less than 1024 bytes. - If it is more than 1024 bytes there is a limit of 100 spaces. - The key length is still checked at 250 bytes - Meaning you have up to 772 spaces and then the key to create stack corruption. So the amount of data you can shove in here isn't unlimited. The fix caps the amount of data pre-key to be reasonable. Something like GAT needs space for a 32bit TTL which is at most going to be 15 bytes + spaces, so we limit it to 20 bytes. I hate hate hate hate hate the multiget syntax. hate it.
- Loading branch information