Details: https://nvd.nist.gov/vuln/detail/CVE-2023-46853
Backport the patch that is referenced by the NVD advisory. Signed-off-by: Gyorgy Sarvari <[email protected]> --- .../memcached/memcached/CVE-2023-46853.patch | 114 ++++++++++++++++++ .../memcached/memcached_1.6.15.bb | 1 + 2 files changed, 115 insertions(+) create mode 100644 meta-networking/recipes-support/memcached/memcached/CVE-2023-46853.patch diff --git a/meta-networking/recipes-support/memcached/memcached/CVE-2023-46853.patch b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46853.patch new file mode 100644 index 0000000000..52066f7e71 --- /dev/null +++ b/meta-networking/recipes-support/memcached/memcached/CVE-2023-46853.patch @@ -0,0 +1,114 @@ +From 788c8ba8fe07d0df3c425458b6e3a1590cc25401 Mon Sep 17 00:00:00 2001 +From: dormando <[email protected]> +Date: Wed, 2 Aug 2023 15:45:56 -0700 +Subject: [PATCH] proxy: fix off-by-one if \r is missing + +A bunch of the parser assumed we only had \r\n, but I didn't actually +have that strictness set. Some commands worked and some broke in subtle +ways when just "\n" was being submitted. + +I'm not 100% confident in this change yet so I'm opening a PR to stage +it while I run some more thorough tests. + +CVE: CVE-2023-46853 +Upstream-Status: Backport [https://github.com/memcached/memcached/commit/6987918e9a3094ec4fc8976f01f769f624d790fa] +Signed-off-by: Gyorgy Sarvari <[email protected]> +--- + proxy.h | 1 + + proxy_request.c | 22 ++++++++++++++++------ + t/proxy.t | 5 +++-- + 3 files changed, 20 insertions(+), 8 deletions(-) + +diff --git a/proxy.h b/proxy.h +index 86b4aa9..df9ebd6 100644 +--- a/proxy.h ++++ b/proxy.h +@@ -268,6 +268,7 @@ struct mcp_parser_s { + uint8_t keytoken; // because GAT. sigh. also cmds without a key. + uint32_t parsed; // how far into the request we parsed already + uint32_t reqlen; // full length of request buffer. ++ uint32_t endlen; // index to the start of \r\n or \n + int vlen; + uint32_t klen; // length of key. + uint16_t tokens[PARSER_MAX_TOKENS]; // offsets for start of each token +diff --git a/proxy_request.c b/proxy_request.c +index f351cc1..1c34182 100644 +--- a/proxy_request.c ++++ b/proxy_request.c +@@ -9,7 +9,7 @@ + // where we later scan or directly feed data into API's. + static int _process_tokenize(mcp_parser_t *pr, const size_t max) { + const char *s = pr->request; +- int len = pr->reqlen - 2; ++ int len = pr->endlen; + + // since multigets can be huge, we can't purely judge reqlen against this + // limit, but we also can't index past it since the tokens are shorts. +@@ -79,7 +79,7 @@ static int _process_request_key(mcp_parser_t *pr) { + // Returns the offset for the next key. + size_t _process_request_next_key(mcp_parser_t *pr) { + const char *cur = pr->request + pr->parsed; +- int remain = pr->reqlen - pr->parsed - 2; ++ int remain = pr->endlen - pr->parsed; + + // chew off any leading whitespace. + while (remain) { +@@ -112,7 +112,7 @@ static int _process_request_metaflags(mcp_parser_t *pr, int token) { + return 0; + } + const char *cur = pr->request + pr->tokens[token]; +- const char *end = pr->request + pr->reqlen - 2; ++ const char *end = pr->request + pr->endlen; + + // We blindly convert flags into bits, since the range of possible + // flags is deliberately < 64. +@@ -276,15 +276,25 @@ int process_request(mcp_parser_t *pr, const char *command, size_t cmdlen) { + return -1; + } + +- const char *s = memchr(command, ' ', cmdlen-2); ++ // Commands can end with bare '\n's. Depressingly I intended to be strict ++ // with a \r\n requirement but never did this and need backcompat. ++ // In this case we _know_ \n is at cmdlen because we can't enter this ++ // function otherwise. ++ if (cm[cmdlen-2] == '\r') { ++ pr->endlen = cmdlen - 2; ++ } else { ++ pr->endlen = cmdlen - 1; ++ } ++ ++ const char *s = memchr(command, ' ', pr->endlen); + if (s != NULL) { + cl = s - command; + } else { +- cl = cmdlen - 2; ++ cl = pr->endlen; + } + pr->keytoken = 0; + pr->has_space = false; +- pr->parsed = cl + 1; ++ pr->parsed = cl; + pr->request = command; + pr->reqlen = cmdlen; + int token_max = PARSER_MAX_TOKENS; +diff --git a/t/proxy.t b/t/proxy.t +index c85796d..203924b 100644 +--- a/t/proxy.t ++++ b/t/proxy.t +@@ -151,13 +151,14 @@ my $p_sock = $p_srv->sock; + # NOTE: memcached always allowed [\r]\n for single command lines, but payloads + # (set/etc) require exactly \r\n as termination. + # doc/protocol.txt has always specified \r\n for command/response. +-# Proxy is more strict than normal server in this case. ++# Note a bug lead me to believe that the proxy was more strict, we accept any ++# \n or \r\n terminated commands. + { + my $s = $srv[0]->sock; + print $s "version\n"; + like(<$s>, qr/VERSION/, "direct server version cmd with just newline"); + print $p_sock "version\n"; +- like(<$p_sock>, qr/SERVER_ERROR/, "proxy version cmd with just newline"); ++ like(<$p_sock>, qr/VERSION/, "proxy version cmd with just newline"); + print $p_sock "version\r\n"; + like(<$p_sock>, qr/VERSION/, "proxy version cmd with full CRLF"); + } diff --git a/meta-networking/recipes-support/memcached/memcached_1.6.15.bb b/meta-networking/recipes-support/memcached/memcached_1.6.15.bb index 64065e8547..010e8591cd 100644 --- a/meta-networking/recipes-support/memcached/memcached_1.6.15.bb +++ b/meta-networking/recipes-support/memcached/memcached_1.6.15.bb @@ -22,6 +22,7 @@ RDEPENDS:${PN} += "perl perl-module-posix perl-module-autoloader \ SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \ file://memcached-add-hugetlbfs-check.patch \ file://CVE-2023-46852.patch \ + file://CVE-2023-46853.patch \ " SRC_URI[sha256sum] = "8d7abe3d649378edbba16f42ef1d66ca3f2ac075f2eb97145ce164388e6ed515"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#124846): https://lists.openembedded.org/g/openembedded-devel/message/124846 Mute This Topic: https://lists.openembedded.org/mt/118130547/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
