When connecting to a server using SASL, memcached_sasl_authenticate_connection() reads the list of supported mechanisms [1] from the server via the command PROTOCOL_BINARY_CMD_SASL_LIST_MECHS. The server's response is a string containing supported authentication mechanisms, which gets stored into the (uninitialized) destination buffer without null termination [2].
The buffer then gets passed to sasl_client_start [3] which treats it as a null-terminated string [4], reading uninitialized bytes in the buffer.
As the buffer lives on the stack, an attacker that can put strings on the stack before the connection gets made, might be able to tamper with the authentication.
When connecting to a server using SASL, memcached_ sasl_authentica te_connection( ) reads the list of supported mechanisms [1] from the server via the command PROTOCOL_ BINARY_ CMD_SASL_ LIST_MECHS. The server's response is a string containing supported authentication mechanisms, which gets stored into the (uninitialized) destination buffer without null termination [2].
The buffer then gets passed to sasl_client_start [3] which treats it as a null-terminated string [4], reading uninitialized bytes in the buffer.
As the buffer lives on the stack, an attacker that can put strings on the stack before the connection gets made, might be able to tamper with the authentication.
[1] libmemcached/ sasl.cc: 174 response. cc:619 sasl.cc: 231 linux.die. net/man/ 3/sasl_ client_ start
[2] libmemcached/
[1] libmemcached/
[3] http://