Missing null termination in memcached_sasl_authenticate_connection
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libmemcached |
New
|
Undecided
|
Unassigned |
Bug Description
memcached_
In my concrete scenario the server returns
header.response = {magic = 129, opcode = 32, keylen = 0, extlen = 0, datatype = 0, status = 0, bodylen = 5, opaque = 512, cas = 0}
with the body containing "PLAIN" (no null termination)
which then ends up in the string passed to sasl as "PLAIN<random characters>"
As the buffer is stack allocated (in my case it sometimes contained lines from /etc/resolv.conf), this could be used to inject mechanisms in the list.
Tested with libmemcached-1.0.18 and cyrus-sasl-2.1.25 (relevant code paths are the same in latest version)
information type: | Private Security → Public Security |
tags: | added: sasl |
This is affecting us too. When using memcached as the session storage backend for PHP, this often results in the SASL authentication failing, which prevents the sessions from being saved. Note that this was only observed when configuring libmemcached without --enable-debug. The -fsanitize options that are added in debug mode hide the issue.
I attached the (naive) patch that we're using.