Status: New
Owner: ----
Labels: Type-Defect Priority-Medium
New issue 302 by shach...@gmail.com: memached 1.6 - write_bin_packet will
call add_iov with pointer to a freed stack variable
http://code.google.com/p/memcached/issues/detail?id=302
From reading of
https://github.com/memcached/memcached/commit/eeaeeede5ddaaed8179389876866756ce1c05158 ,
it seems that write_bin_packet will write to a stack based buffer, and add
a pointer to it for later delivery using add_iov.
As the actual transmission happens later on, this will cause the writing
function to send uninitialized buffer, containing random stack contents.
The bug was introduced in eeaeeed , with versions before it passing
pointers to constant strings, that were not stored on the stack.
