memcached: patch CVE-2023-46852

Details https://nvd.nist.gov/vuln/detail/CVE-2023-46852

Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>

meta-networking/recipes-support/memcached/memcached/CVE-2023-46852.patch

@@ -0,0 +1,71 @@
+From 44d8cfad2500881447cbfe2089bfd80b85ffcd7e Mon Sep 17 00:00:00 2001
+From: dormando <dormando@rydia.net>
+Date: Fri, 28 Jul 2023 10:32:16 -0700
+Subject: [PATCH] CVE-2023-46852
+
+proxy: fix buffer overflow with multiget syntax
+
+"get[200 spaces]key1 key2\r\n" would overflow a temporary buffer used to
+process multiget syntax.
+
+To exploit this you must first pass the check in try_read_command_proxy:
+- The request before the first newline must be less than 1024 bytes.
+- If it is more than 1024 bytes there is a limit of 100 spaces.
+- The key length is still checked at 250 bytes
+- Meaning you have up to 772 spaces and then the key to create stack
+  corruption.
+
+So the amount of data you can shove in here isn't unlimited.
+
+The fix caps the amount of data pre-key to be reasonable. Something like
+GAT needs space for a 32bit TTL which is at most going to be 15 bytes +
+spaces, so we limit it to 20 bytes.
+
+I hate hate hate hate hate the multiget syntax. hate it.
+
+CVE: CVE-2023-46852
+Upstream-Status: Backport [https://github.com/memcached/memcached/commit/76a6c363c18cfe7b6a1524ae64202ac9db330767]
+(cherry picked from commit 76a6c363c18cfe7b6a1524ae64202ac9db330767)
+Signed-off-by: Ankur Tyagi <ankur.tyagi85@gmail.com>
+---
+ proto_proxy.c | 16 ++++++++++++++--
+ 1 file changed, 14 insertions(+), 2 deletions(-)
+
+diff --git a/proto_proxy.c b/proto_proxy.c
+index 3ee8c07..9bef26d 100644
+--- a/proto_proxy.c
++++ b/proto_proxy.c
+@@ -616,6 +616,12 @@ int proxy_run_coroutine(lua_State *Lc, mc_resp *resp, io_pending_proxy_t *p, con
+     return 0;
+ }
+ 
++// basically any data before the first key.
++// max is like 15ish plus spaces. we can be more strict about how many spaces
++// to expect because any client spamming space is being deliberately stupid
++// anyway.
++#define MAX_CMD_PREFIX 20
++
+ static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool multiget) {
+     assert(c != NULL);
+     LIBEVENT_THREAD *thr = c->thread;
+@@ -687,12 +693,18 @@ static void proxy_process_command(conn *c, char *command, size_t cmdlen, bool mu
+     if (!multiget && pr.cmd_type == CMD_TYPE_GET && pr.has_space) {
+         uint32_t keyoff = pr.tokens[pr.keytoken];
+         while (pr.klen != 0) {
+-            char temp[KEY_MAX_LENGTH + 30];
++            char temp[KEY_MAX_LENGTH + MAX_CMD_PREFIX + 30];
+             char *cur = temp;
+             // Core daemon can abort the entire command if one key is bad, but
+             // we cannot from the proxy. Instead we have to inject errors into
+             // the stream. This should, thankfully, be rare at least.
+-            if (pr.klen > KEY_MAX_LENGTH) {
++            if (pr.tokens[pr.keytoken] > MAX_CMD_PREFIX) {
++                if (!resp_start(c)) {
++                    conn_set_state(c, conn_closing);
++                    return;
++                }
++                proxy_out_errstring(c->resp, PROXY_CLIENT_ERROR, "malformed request");
++            } else if (pr.klen > KEY_MAX_LENGTH) {
+                 if (!resp_start(c)) {
+                     conn_set_state(c, conn_closing);
+                     return;

meta-networking/recipes-support/memcached/memcached_1.6.17.bb

@@ -22,6 +22,7 @@ RDEPENDS:${PN} += "perl perl-module-posix perl-module-autoloader \
 SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \
            file://memcached-add-hugetlbfs-check.patch \
            file://0001-Fix-function-protypes.patch \
+           file://CVE-2023-46852.patch \
            "
 SRC_URI[sha256sum] = "2055e373613d8fc21529aff9f0adce3e23b9ce01ba0478d30e7941d9f2bd1224"