new file mode 100644
@@ -0,0 +1,68 @@
+From 3e7027caf6b1eb79d3d98a77e17051b120c30b9b Mon Sep 17 00:00:00 2001
+From: dormando <dormando@rydia.net>
+Date: Fri, 28 Jul 2023 10:32:16 -0700
+Subject: [PATCH] proxy: fix buffer overflow with multiget syntax
+
+"get[200 spaces]key1 key2\r\n" would overflow a temporary buffer used to
+process multiget syntax.
+
+To exploit this you must first pass the check in try_read_command_proxy:
+- The request before the first newline must be less than 1024 bytes.
+- If it is more than 1024 bytes there is a limit of 100 spaces.
+- The key length is still checked at 250 bytes
+- Meaning you have up to 772 spaces and then the key to create stack
+ corruption.
+
+So the amount of data you can shove in here isn't unlimited.
+
+The fix caps the amount of data pre-key to be reasonable. Something like
+GAT needs space for a 32bit TTL which is at most going to be 15 bytes +
+spaces, so we limit it to 20 bytes.
+
+I hate hate hate hate hate the multiget syntax. hate it.
+
+CVE: CVE-2023-46852
+Upstream-Status: Backport [https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ proto_proxy.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/proto_proxy.c b/proto_proxy.c
+index 6c028f4..94e38b6 100644
+--- a/proto_proxy.c
++++ b/proto_proxy.c
+@@ -613,6 +613,12 @@ int proxy_run_coroutine(lua_State *Lc, mc_resp *resp, io_pending_proxy_t *p, con
+ return 0;
+ }
+
++// basically any data before the first key.
++// max is like 15ish plus spaces. we can be more strict about how many spaces
++// to expect because any client spamming space is being deliberately stupid
++// anyway.
++#define MAX_CMD_PREFIX 20
++
+ static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool multiget) {
+ assert(c != NULL);
+ LIBEVENT_THREAD *thr = c->thread;
+@@ -670,12 +676,18 @@ static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool mu
+ if (!multiget && pr.cmd_type == CMD_TYPE_GET && pr.has_space) {
+ uint32_t keyoff = pr.tokens[pr.keytoken];
+ while (pr.klen != 0) {
+- char temp[KEY_MAX_LENGTH + 30];
++ char temp[KEY_MAX_LENGTH + MAX_CMD_PREFIX + 30];
+ char *cur = temp;
+ // Core daemon can abort the entire command if one key is bad, but
+ // we cannot from the proxy. Instead we have to inject errors into
+ // the stream. This should, thankfully, be rare at least.
+- if (pr.klen > KEY_MAX_LENGTH) {
++ if (pr.tokens[pr.keytoken] > MAX_CMD_PREFIX) {
++ if (!resp_start(c)) {
++ conn_set_state(c, conn_closing);
++ return;
++ }
++ proxy_out_errstring(c->resp, PROXY_CLIENT_ERROR, "malformed request");
++ } else if (pr.klen > KEY_MAX_LENGTH) {
+ if (!resp_start(c)) {
+ conn_set_state(c, conn_closing);
+ return;
@@ -21,6 +21,7 @@ RDEPENDS:${PN} += "perl perl-module-posix perl-module-autoloader \
SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \
file://memcached-add-hugetlbfs-check.patch \
+ file://CVE-2023-46852.patch \
"
SRC_URI[sha256sum] = "8d7abe3d649378edbba16f42ef1d66ca3f2ac075f2eb97145ce164388e6ed515"
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-46852 Backport the patch that is referenced by the NVD advisory. The test extension was not backported, because the modified testcase does not exist in the recipe version yet. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- .../memcached/memcached/CVE-2023-46852.patch | 68 +++++++++++++++++++ .../memcached/memcached_1.6.15.bb | 1 + 2 files changed, 69 insertions(+) create mode 100644 meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch