Hi, Memcached team,

Recently, I revealed a buffer overflow vulnerability which may cause DOS attack. The exploit details can be found as following.

Affect Version

memcached-1.6.0
memcached-1.6.1

Root cause

file location: memcached.c:6156-6187

Code Audit

6178   char extbuf[sizeof(c->binary_header) + BIN_MAX_EXTLEN];
6179   memcpy(extbuf + sizeof(c->binary_header), c->rcurr + sizeof(c->binary_header), **extlen**);

in line 6179, since there is no mechanism to verify the parameter's length, in this case, the length of "extlen" when calling memcpy function, It will cause buffer overflow if large value assigned to the extlen variable.

POC

0x80 0x01 [0x00 0x00] keylen

[0x30] extlen 0x00 0x00 x00

for the POC snippet, first, if I assign a large value to the variable extlen, on the other hand, in order to bypass the validation of data packet which sent in following code snippet,

6156 if (c->rbytes < keylen + extlen + sizeof(c->binary_header))

we can construct a very large data packet and send it to the server running memcached 1.6.0 or 1.6.1 anonymously. After that, the program will crash because of the issue mentioned above.

Note: Please confirm this issue ASAP. Besides, just letting you know, I am gonna submit this issue to CVE mitre.

Please let me if you have any questions.

Sincerely,
Icejl