Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
memcached.11123
memcached-CVE-2019-15026.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File memcached-CVE-2019-15026.patch of Package memcached.11123
Index: memcached-1.5.6/memcached.c =================================================================== --- memcached-1.5.6.orig/memcached.c 2019-09-03 12:01:54.762376784 +0200 +++ memcached-1.5.6/memcached.c 2019-09-03 12:24:51.486326057 +0200 @@ -3273,6 +3273,7 @@ static void conn_to_str(const conn *c, c struct sockaddr *addr = (void *)&c->request_addr; int af; unsigned short port = 0; + size_t pathlen = 0; /* For listen ports and idle UDP ports, show listen address */ if (c->state == conn_listening || @@ -3314,10 +3315,27 @@ static void conn_to_str(const conn *c, c break; case AF_UNIX: + // this strncpy call originally could piss off an address + // sanitizer; we supplied the size of the dest buf as a limiter, + // but optimized versions of strncpy could read past the end of + // *src while looking for a null terminator. Since buf and + // sun_path here are both on the stack they could even overlap, + // which is "undefined". In all OSS versions of strncpy I could + // find this has no effect; it'll still only copy until the first null + // terminator is found. Thus it's possible to get the OS to + // examine past the end of sun_path but it's unclear to me if this + // can cause any actual problem. + // + // We need a safe_strncpy util function but I'll punt on figuring + // that out for now. + pathlen = sizeof(((struct sockaddr_un *)addr)->sun_path); + if (MAXPATHLEN <= pathlen) { + pathlen = MAXPATHLEN - 1; + } strncpy(addr_text, ((struct sockaddr_un *)addr)->sun_path, - sizeof(addr_text) - 1); - addr_text[sizeof(addr_text)-1] = '\0'; + pathlen); + addr_text[pathlen] = '\0'; protoname = "unix"; break; }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor