Remote buffer overflow DOS 0-day in Memcached 1.6.0 and 1.6.1 (latest)

Hi, Memcached team,

Recently, I revealed a buffer overflow vulnerability which may cause DOS attack. The exploit details can be found as following.

Affect Version

memcached-1.6.0

memcached-1.6.1

Root cause

file location: memcached.c:6156-6187

Code Audit

6178   char extbuf[sizeof(c->binary_header) + BIN_MAX_EXTLEN];
6179   memcpy(extbuf + sizeof(c->binary_header), c->rcurr + sizeof(c->binary_header), **extlen**);

in line 6179, since there is no mechanism to verify the parameter's length, in this case, the length of " extlen " when calling memcpy function, It will cause buffer overflow if large value assigned to the extlen variable.

POC

0x80 0x01 [0x00 0x00] keylen

[0x30] extlen 0x00 0x00 x00

for the POC snippet, first, if I assign a large value to the variable extlen , on the other hand, in order to bypass the validation of data packet which sent in following code snippet,

6156 if (c->rbytes < keylen + extlen + sizeof(c->binary_header))

we can construct a very large data packet and send it to the server running memcached 1.6.0 or 1.6.1 anonymously. After that, the program will crash because of the issue mentioned above.

Note: Please confirm this issue ASAP. Besides, just letting you know, I am gonna submit this issue to CVE mitre.

Please let me if you have any questions.

Sincerely,

Icejl