From: Brian Aker Date: Thu, 10 Feb 2011 18:43:18 +0000 (-0800) Subject: Fix for bug 633247 X-Git-Tag: 0.51~45^2~10 X-Git-Url: https://git.m6w6.name/?a=commitdiff_plain;h=44bc9cfbcf0794de92da28d9aaaa46d62945ce4e;p=m6w6%2Flibmemcached Fix for bug 633247 --- diff --git a/ChangeLog b/ChangeLog index f2e3f580..ca2fe281 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,6 @@ + * Bug lp:633247 + + 0.45 Tue Feb 8 16:02:06 PST 2011 * Add support for systemtap diff --git a/libmemcached/auto.c b/libmemcached/auto.c index ce2d0261..a221144f 100644 --- a/libmemcached/auto.c +++ b/libmemcached/auto.c @@ -18,7 +18,6 @@ static memcached_return_t text_incr_decr(memcached_st *ptr, uint64_t offset, uint64_t *value) { - size_t send_length; memcached_return_t rc; char buffer[MEMCACHED_DEFAULT_COMMAND_SIZE]; uint32_t server_key; @@ -34,16 +33,17 @@ static memcached_return_t text_incr_decr(memcached_st *ptr, server_key= memcached_generate_hash_with_redistribution(ptr, master_key, master_key_length); instance= memcached_server_instance_fetch(ptr, server_key); - send_length= (size_t)snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, - "%s %.*s%.*s %" PRIu64 "%s\r\n", verb, - (int)ptr->prefix_key_length, - ptr->prefix_key, - (int)key_length, key, - offset, no_reply ? " noreply" : ""); - unlikely (send_length >= MEMCACHED_DEFAULT_COMMAND_SIZE) + int send_length; + send_length= snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, + "%s %.*s%.*s %" PRIu64 "%s\r\n", verb, + (int)ptr->prefix_key_length, + ptr->prefix_key, + (int)key_length, key, + offset, no_reply ? " noreply" : ""); + if (send_length >= MEMCACHED_DEFAULT_COMMAND_SIZE || send_length < 0) return MEMCACHED_WRITE_FAILURE; - rc= memcached_do(instance, buffer, send_length, true); + rc= memcached_do(instance, buffer, (size_t)send_length, true); if (no_reply || rc != MEMCACHED_SUCCESS) return rc; diff --git a/libmemcached/connect.c b/libmemcached/connect.c index c4b263e1..75d174b4 100644 --- a/libmemcached/connect.c +++ b/libmemcached/connect.c @@ -95,7 +95,9 @@ static memcached_return_t set_hostinfo(memcached_server_st *server) char str_port[NI_MAXSERV]; uint32_t counter= 5; - snprintf(str_port, NI_MAXSERV, "%u", (uint32_t)server->port); + int length= snprintf(str_port, NI_MAXSERV, "%u", (uint32_t)server->port); + if (length >= NI_MAXSERV || length < 0) + return MEMCACHED_FAILURE; memset(&hints, 0, sizeof(hints)); diff --git a/libmemcached/delete.c b/libmemcached/delete.c index 84a34271..ef1fa6da 100644 --- a/libmemcached/delete.c +++ b/libmemcached/delete.c @@ -20,7 +20,6 @@ memcached_return_t memcached_delete_by_key(memcached_st *ptr, time_t expiration) { bool to_write; - size_t send_length; memcached_return_t rc; char buffer[MEMCACHED_DEFAULT_COMMAND_SIZE]; uint32_t server_key; @@ -56,6 +55,8 @@ memcached_return_t memcached_delete_by_key(memcached_st *ptr, } else { + int send_length; + unlikely (expiration) { if ((instance->major_version == 1 && @@ -89,25 +90,25 @@ memcached_return_t memcached_delete_by_key(memcached_st *ptr, no_reply= false; } } - send_length= (size_t) snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, - "delete %.*s%.*s %u%s\r\n", - (int)ptr->prefix_key_length, - ptr->prefix_key, - (int) key_length, key, - (uint32_t)expiration, - no_reply ? " noreply" :"" ); + send_length= snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, + "delete %.*s%.*s %u%s\r\n", + (int)ptr->prefix_key_length, + ptr->prefix_key, + (int) key_length, key, + (uint32_t)expiration, + no_reply ? " noreply" :"" ); } } else { - send_length= (size_t) snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, - "delete %.*s%.*s%s\r\n", - (int)ptr->prefix_key_length, - ptr->prefix_key, - (int)key_length, key, no_reply ? " noreply" :""); + send_length= snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, + "delete %.*s%.*s%s\r\n", + (int)ptr->prefix_key_length, + ptr->prefix_key, + (int)key_length, key, no_reply ? " noreply" :""); } - if (send_length >= MEMCACHED_DEFAULT_COMMAND_SIZE) + if (send_length >= MEMCACHED_DEFAULT_COMMAND_SIZE || send_length < 0) { rc= MEMCACHED_WRITE_FAILURE; goto error; @@ -121,7 +122,7 @@ memcached_return_t memcached_delete_by_key(memcached_st *ptr, memcached_io_write(instance, NULL, 0, true); } - rc= memcached_do(instance, buffer, send_length, to_write); + rc= memcached_do(instance, buffer, (size_t)send_length, to_write); } if (rc != MEMCACHED_SUCCESS) diff --git a/libmemcached/dump.c b/libmemcached/dump.c index a0d62df0..9ec2dab5 100644 --- a/libmemcached/dump.c +++ b/libmemcached/dump.c @@ -11,7 +11,6 @@ static memcached_return_t ascii_dump(memcached_st *ptr, memcached_dump_fn *callb { memcached_return_t rc= MEMCACHED_SUCCESS; char buffer[MEMCACHED_DEFAULT_COMMAND_SIZE]; - size_t send_length; uint32_t server_key; uint32_t x; @@ -26,10 +25,16 @@ static memcached_return_t ascii_dump(memcached_st *ptr, memcached_dump_fn *callb /* 256 I BELIEVE is the upper limit of slabs */ for (x= 0; x < 256; x++) { - send_length= (size_t) snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, - "stats cachedump %u 0 0\r\n", x); + int send_length; + send_length= snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, + "stats cachedump %u 0 0\r\n", x); - rc= memcached_do(instance, buffer, send_length, true); + if (send_length >= MEMCACHED_DEFAULT_COMMAND_SIZE || send_length < 0) + { + return MEMCACHED_FAILURE; + } + + rc= memcached_do(instance, buffer, (size_t)send_length, true); unlikely (rc != MEMCACHED_SUCCESS) goto error; diff --git a/libmemcached/flush.c b/libmemcached/flush.c index 425d4576..5aaffa56 100644 --- a/libmemcached/flush.c +++ b/libmemcached/flush.c @@ -21,29 +21,37 @@ memcached_return_t memcached_flush(memcached_st *ptr, time_t expiration) static memcached_return_t memcached_flush_textual(memcached_st *ptr, time_t expiration) { - unsigned int x; - size_t send_length; - memcached_return_t rc; - char buffer[MEMCACHED_DEFAULT_COMMAND_SIZE]; - unlikely (memcached_server_count(ptr) == 0) return MEMCACHED_NO_SERVERS; - for (x= 0; x < memcached_server_count(ptr); x++) + for (unsigned int x= 0; x < memcached_server_count(ptr); x++) { + memcached_return_t rc; + char buffer[MEMCACHED_DEFAULT_COMMAND_SIZE]; + bool no_reply= ptr->flags.no_reply; memcached_server_write_instance_st instance= memcached_server_instance_fetch(ptr, x); + int send_length; if (expiration) - send_length= (size_t) snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, - "flush_all %llu%s\r\n", - (unsigned long long)expiration, no_reply ? " noreply" : ""); + { + send_length= snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, + "flush_all %llu%s\r\n", + (unsigned long long)expiration, no_reply ? " noreply" : ""); + } else - send_length= (size_t) snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, - "flush_all%s\r\n", no_reply ? " noreply" : ""); + { + send_length= snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, + "flush_all%s\r\n", no_reply ? " noreply" : ""); + } + + if (send_length >= MEMCACHED_DEFAULT_COMMAND_SIZE || send_length < 0) + { + return MEMCACHED_FAILURE; + } - rc= memcached_do(instance, buffer, send_length, true); + rc= memcached_do(instance, buffer, (size_t)send_length, true); if (rc == MEMCACHED_SUCCESS && !no_reply) (void)memcached_response(instance, buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, NULL); diff --git a/libmemcached/hosts.c b/libmemcached/hosts.c index 4018a258..ec12c92f 100644 --- a/libmemcached/hosts.c +++ b/libmemcached/hosts.c @@ -206,15 +206,20 @@ static memcached_return_t update_continuum(memcached_st *ptr) pointer_index++) { char sort_host[MEMCACHED_MAX_HOST_SORT_LENGTH]= ""; - size_t sort_host_length; + int sort_host_length; // Spymemcached ketema key format is: hostname/ip:port-index // If hostname is not available then: /ip:port-index - sort_host_length= (size_t) snprintf(sort_host, MEMCACHED_MAX_HOST_SORT_LENGTH, - "/%s:%u-%u", - list[host_index].hostname, - (uint32_t)list[host_index].port, - pointer_index); + sort_host_length= snprintf(sort_host, MEMCACHED_MAX_HOST_SORT_LENGTH, + "/%s:%u-%u", + list[host_index].hostname, + (uint32_t)list[host_index].port, + pointer_index); + + if (sort_host_length >= MEMCACHED_MAX_HOST_SORT_LENGTH || sort_host_length < 0) + { + return MEMCACHED_FAILURE; + } #ifdef DEBUG printf("update_continuum: key is %s\n", sort_host); #endif @@ -225,14 +230,14 @@ static memcached_return_t update_continuum(memcached_st *ptr) { for (uint32_t x= 0; x < pointer_per_hash; x++) { - value= ketama_server_hash(sort_host, sort_host_length, x); + value= ketama_server_hash(sort_host, (size_t)sort_host_length, x); ptr->continuum[continuum_index].index= host_index; ptr->continuum[continuum_index++].value= value; } } else { - value= hashkit_digest(&ptr->distribution_hashkit, sort_host, sort_host_length); + value= hashkit_digest(&ptr->distribution_hashkit, sort_host, (size_t)sort_host_length); ptr->continuum[continuum_index].index= host_index; ptr->continuum[continuum_index++].value= value; } @@ -245,22 +250,27 @@ static memcached_return_t update_continuum(memcached_st *ptr) pointer_index++) { char sort_host[MEMCACHED_MAX_HOST_SORT_LENGTH]= ""; - size_t sort_host_length; + int sort_host_length; if (list[host_index].port == MEMCACHED_DEFAULT_PORT) { - sort_host_length= (size_t) snprintf(sort_host, MEMCACHED_MAX_HOST_SORT_LENGTH, - "%s-%u", - list[host_index].hostname, - pointer_index - 1); + sort_host_length= snprintf(sort_host, MEMCACHED_MAX_HOST_SORT_LENGTH, + "%s-%u", + list[host_index].hostname, + pointer_index - 1); } else { - sort_host_length= (size_t) snprintf(sort_host, MEMCACHED_MAX_HOST_SORT_LENGTH, - "%s:%u-%u", - list[host_index].hostname, - (uint32_t)list[host_index].port, - pointer_index - 1); + sort_host_length= snprintf(sort_host, MEMCACHED_MAX_HOST_SORT_LENGTH, + "%s:%u-%u", + list[host_index].hostname, + (uint32_t)list[host_index].port, + pointer_index - 1); + } + + if (sort_host_length >= MEMCACHED_MAX_HOST_SORT_LENGTH || sort_host_length < 0) + { + return MEMCACHED_FAILURE; } WATCHPOINT_ASSERT(sort_host_length); @@ -269,14 +279,14 @@ static memcached_return_t update_continuum(memcached_st *ptr) { for (uint32_t x = 0; x < pointer_per_hash; x++) { - value= ketama_server_hash(sort_host, sort_host_length, x); + value= ketama_server_hash(sort_host, (size_t)sort_host_length, x); ptr->continuum[continuum_index].index= host_index; ptr->continuum[continuum_index++].value= value; } } else { - value= hashkit_digest(&ptr->distribution_hashkit, sort_host, sort_host_length); + value= hashkit_digest(&ptr->distribution_hashkit, sort_host, (size_t)sort_host_length); ptr->continuum[continuum_index].index= host_index; ptr->continuum[continuum_index++].value= value; } diff --git a/libmemcached/stats.c b/libmemcached/stats.c index 0c52d97a..ab005f49 100644 --- a/libmemcached/stats.c +++ b/libmemcached/stats.c @@ -227,6 +227,12 @@ char *memcached_stat_get_value(const memcached_st *ptr, memcached_stat_st *memc_ return NULL; } + if (length >= SMALL_STRING_LEN || length < 0) + { + *error= MEMCACHED_FAILURE; + return NULL; + } + ret= libmemcached_malloc(ptr, (size_t) (length + 1)); memcpy(ret, buffer, (size_t) length); ret[length]= '\0'; @@ -329,7 +335,7 @@ static memcached_return_t ascii_stats_fetch(memcached_stat_st *memc_stat, { memcached_return_t rc; char buffer[MEMCACHED_DEFAULT_COMMAND_SIZE]; - size_t send_length; + int send_length; if (args) send_length= (size_t) snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, @@ -338,10 +344,10 @@ static memcached_return_t ascii_stats_fetch(memcached_stat_st *memc_stat, send_length= (size_t) snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, "stats\r\n"); - if (send_length >= MEMCACHED_DEFAULT_COMMAND_SIZE) + if (send_length >= MEMCACHED_DEFAULT_COMMAND_SIZE || send_length < 0) return MEMCACHED_WRITE_FAILURE; - rc= memcached_do(instance, buffer, send_length, true); + rc= memcached_do(instance, buffer, (size_t)send_length, true); if (rc != MEMCACHED_SUCCESS) goto error; diff --git a/libmemcached/storage.c b/libmemcached/storage.c index 25aaba30..782a3766 100644 --- a/libmemcached/storage.c +++ b/libmemcached/storage.c @@ -104,15 +104,24 @@ static inline memcached_return_t memcached_send(memcached_st *ptr, if (cas) { - write_length= (size_t) snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, - "%s %.*s%.*s %u %llu %zu %llu%s\r\n", - storage_op_string(verb), - (int)ptr->prefix_key_length, - ptr->prefix_key, - (int)key_length, key, flags, - (unsigned long long)expiration, value_length, - (unsigned long long)cas, - (ptr->flags.no_reply) ? " noreply" : ""); + int check_length; + check_length= snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, + "%s %.*s%.*s %u %llu %zu %llu%s\r\n", + storage_op_string(verb), + (int)ptr->prefix_key_length, + ptr->prefix_key, + (int)key_length, key, flags, + (unsigned long long)expiration, value_length, + (unsigned long long)cas, + (ptr->flags.no_reply) ? " noreply" : ""); + if (check_length >= MEMCACHED_DEFAULT_COMMAND_SIZE || check_length < 0) + { + rc= MEMCACHED_WRITE_FAILURE; + memcached_io_reset(instance); + + return rc; + } + write_length= check_length; } else { @@ -133,11 +142,22 @@ static inline memcached_return_t memcached_send(memcached_st *ptr, buffer_ptr++; write_length= (size_t)(buffer_ptr - buffer); - write_length+= (size_t) snprintf(buffer_ptr, MEMCACHED_DEFAULT_COMMAND_SIZE, - "%u %llu %zu%s\r\n", - flags, - (unsigned long long)expiration, value_length, - ptr->flags.no_reply ? " noreply" : ""); + int check_length; + check_length= snprintf(buffer_ptr, MEMCACHED_DEFAULT_COMMAND_SIZE -(size_t)(buffer_ptr - buffer), + "%u %llu %zu%s\r\n", + flags, + (unsigned long long)expiration, value_length, + ptr->flags.no_reply ? " noreply" : ""); + if ((size_t)check_length >= MEMCACHED_DEFAULT_COMMAND_SIZE -(size_t)(buffer_ptr - buffer) || check_length < 0) + { + rc= MEMCACHED_WRITE_FAILURE; + memcached_io_reset(instance); + + return rc; + } + + write_length+= (size_t)check_length; + WATCHPOINT_ASSERT(write_length < MEMCACHED_DEFAULT_COMMAND_SIZE); } if (ptr->flags.use_udp && ptr->flags.buffer_requests) diff --git a/libmemcached/verbosity.c b/libmemcached/verbosity.c index fba00144..d0903514 100644 --- a/libmemcached/verbosity.c +++ b/libmemcached/verbosity.c @@ -41,17 +41,17 @@ static memcached_return_t _set_verbosity(const memcached_st *ptr __attribute__(( memcached_return_t memcached_verbosity(memcached_st *ptr, uint32_t verbosity) { - size_t send_length; + int send_length; memcached_server_fn callbacks[1]; char buffer[MEMCACHED_DEFAULT_COMMAND_SIZE]; - send_length= (size_t) snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, + send_length= snprintf(buffer, MEMCACHED_DEFAULT_COMMAND_SIZE, "verbosity %u\r\n", verbosity); - unlikely (send_length >= MEMCACHED_DEFAULT_COMMAND_SIZE) + if (send_length >= MEMCACHED_DEFAULT_COMMAND_SIZE || send_length < 0) return MEMCACHED_WRITE_FAILURE; - struct context_st context = { .length= send_length, .buffer= buffer }; + struct context_st context = { .length= (size_t)send_length, .buffer= buffer }; callbacks[0]= _set_verbosity;