memcached: patch CVE-2023-46853

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-46853

Backport the patch that is referenced by the NVD advisory.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>

meta-networking/recipes-support/memcached/memcached/CVE-2023-46853.patch

@@ -0,0 +1,114 @@
+From 788c8ba8fe07d0df3c425458b6e3a1590cc25401 Mon Sep 17 00:00:00 2001
+From: dormando <dormando@rydia.net>
+Date: Wed, 2 Aug 2023 15:45:56 -0700
+Subject: [PATCH] proxy: fix off-by-one if \r is missing
+
+A bunch of the parser assumed we only had \r\n, but I didn't actually
+have that strictness set. Some commands worked and some broke in subtle
+ways when just "\n" was being submitted.
+
+I'm not 100% confident in this change yet so I'm opening a PR to stage
+it while I run some more thorough tests.
+
+CVE: CVE-2023-46853
+Upstream-Status: Backport [https://github.com/memcached/memcached/commit/6987918e9a3094ec4fc8976f01f769f624d790fa]
+Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
+---
+ proxy.h         |  1 +
+ proxy_request.c | 22 ++++++++++++++++------
+ t/proxy.t       |  5 +++--
+ 3 files changed, 20 insertions(+), 8 deletions(-)
+
+diff --git a/proxy.h b/proxy.h
+index 86b4aa9..df9ebd6 100644
+--- a/proxy.h
++++ b/proxy.h
+@@ -268,6 +268,7 @@ struct mcp_parser_s {
+     uint8_t keytoken; // because GAT. sigh. also cmds without a key.
+     uint32_t parsed; // how far into the request we parsed already
+     uint32_t reqlen; // full length of request buffer.
++    uint32_t endlen; // index to the start of \r\n or \n
+     int vlen;
+     uint32_t klen; // length of key.
+     uint16_t tokens[PARSER_MAX_TOKENS]; // offsets for start of each token
+diff --git a/proxy_request.c b/proxy_request.c
+index f351cc1..1c34182 100644
+--- a/proxy_request.c
++++ b/proxy_request.c
+@@ -9,7 +9,7 @@
+ // where we later scan or directly feed data into API's.
+ static int _process_tokenize(mcp_parser_t *pr, const size_t max) {
+     const char *s = pr->request;
+-    int len = pr->reqlen - 2;
++    int len = pr->endlen;
+ 
+     // since multigets can be huge, we can't purely judge reqlen against this
+     // limit, but we also can't index past it since the tokens are shorts.
+@@ -79,7 +79,7 @@ static int _process_request_key(mcp_parser_t *pr) {
+ // Returns the offset for the next key.
+ size_t _process_request_next_key(mcp_parser_t *pr) {
+     const char *cur = pr->request + pr->parsed;
+-    int remain = pr->reqlen - pr->parsed - 2;
++    int remain = pr->endlen - pr->parsed;
+ 
+     // chew off any leading whitespace.
+     while (remain) {
+@@ -112,7 +112,7 @@ static int _process_request_metaflags(mcp_parser_t *pr, int token) {
+         return 0;
+     }
+     const char *cur = pr->request + pr->tokens[token];
+-    const char *end = pr->request + pr->reqlen - 2;
++    const char *end = pr->request + pr->endlen;
+ 
+     // We blindly convert flags into bits, since the range of possible
+     // flags is deliberately < 64.
+@@ -276,15 +276,25 @@ int process_request(mcp_parser_t *pr, const char *command, size_t cmdlen) {
+         return -1;
+     }
+ 
+-    const char *s = memchr(command, ' ', cmdlen-2);
++    // Commands can end with bare '\n's. Depressingly I intended to be strict
++    // with a \r\n requirement but never did this and need backcompat.
++    // In this case we _know_ \n is at cmdlen because we can't enter this
++    // function otherwise.
++    if (cm[cmdlen-2] == '\r') {
++        pr->endlen = cmdlen - 2;
++    } else {
++        pr->endlen = cmdlen - 1;
++    }
++
++    const char *s = memchr(command, ' ', pr->endlen);
+     if (s != NULL) {
+         cl = s - command;
+     } else {
+-        cl = cmdlen - 2;
++        cl = pr->endlen;
+     }
+     pr->keytoken = 0;
+     pr->has_space = false;
+-    pr->parsed = cl + 1;
++    pr->parsed = cl;
+     pr->request = command;
+     pr->reqlen = cmdlen;
+     int token_max = PARSER_MAX_TOKENS;
+diff --git a/t/proxy.t b/t/proxy.t
+index c85796d..203924b 100644
+--- a/t/proxy.t
++++ b/t/proxy.t
+@@ -151,13 +151,14 @@ my $p_sock = $p_srv->sock;
+ # NOTE: memcached always allowed [\r]\n for single command lines, but payloads
+ # (set/etc) require exactly \r\n as termination.
+ # doc/protocol.txt has always specified \r\n for command/response.
+-# Proxy is more strict than normal server in this case.
++# Note a bug lead me to believe that the proxy was more strict, we accept any
++# \n or \r\n terminated commands.
+ {
+     my $s = $srv[0]->sock;
+     print $s "version\n";
+     like(<$s>, qr/VERSION/, "direct server version cmd with just newline");
+     print $p_sock "version\n";
+-    like(<$p_sock>, qr/SERVER_ERROR/, "proxy version cmd with just newline");
++    like(<$p_sock>, qr/VERSION/, "proxy version cmd with just newline");
+     print $p_sock "version\r\n";
+     like(<$p_sock>, qr/VERSION/, "proxy version cmd with full CRLF");
+ }

meta-networking/recipes-support/memcached/memcached_1.6.15.bb

@@ -22,6 +22,7 @@ RDEPENDS:${PN} += "perl perl-module-posix perl-module-autoloader \
 SRC_URI = "http://www.memcached.org/files/${BP}.tar.gz \
            file://memcached-add-hugetlbfs-check.patch \
            file://CVE-2023-46852.patch \
+           file://CVE-2023-46853.patch \
            "
 SRC_URI[sha256sum] = "8d7abe3d649378edbba16f42ef1d66ca3f2ac075f2eb97145ce164388e6ed515"