Skip to content
Permalink
Browse files

improve binary sasl security fixes

Would return errors on empty or minimal password requests.

Also potential overflows if you send the second SASL packet with longer item
data than initally requested.

Passes tests, but the tests might not have good enough coverage.
  • Loading branch information...
dormando committed Dec 19, 2016
1 parent 6a357b7 commit faf6482d026a0063c7b10d45023eb9a96f3413d2
Showing with 15 additions and 1 deletion.
  1. +15 −1 memcached.c
@@ -1879,7 +1879,7 @@ static void process_bin_sasl_auth(conn *c) {
char *key = binary_get_key(c);
assert(key);

item *it = item_alloc(key, nkey, 0, 0, vlen);
item *it = item_alloc(key, nkey, 0, 0, vlen+2);

/* Can't use a chunked item for SASL authentication. */
if (it == 0 || (it->it_flags & ITEM_CHUNKED)) {
@@ -1906,6 +1906,13 @@ static void process_bin_complete_sasl_auth(conn *c) {
int nkey = c->binary_header.request.keylen;
int vlen = c->binary_header.request.bodylen - nkey;

if (nkey > ((item*) c->item)->nkey) {
write_bin_error(c, PROTOCOL_BINARY_RESPONSE_EINVAL, NULL, vlen);
c->write_and_go = conn_swallow;
item_unlink(c->item);
return;
}

char mech[nkey+1];
memcpy(mech, ITEM_key((item*)c->item), nkey);
mech[nkey] = 0x00;
@@ -1915,6 +1922,13 @@ static void process_bin_complete_sasl_auth(conn *c) {

const char *challenge = vlen == 0 ? NULL : ITEM_data((item*) c->item);

if (vlen > ((item*) c->item)->nbytes) {
write_bin_error(c, PROTOCOL_BINARY_RESPONSE_EINVAL, NULL, vlen);
c->write_and_go = conn_swallow;
item_unlink(c->item);
return;
}

int result=-1;

switch (c->cmd) {

0 comments on commit faf6482

Please sign in to comment.
You can’t perform that action at this time.