Bug #20478242 MEMCAHCED SET COMMAND ACCEPTS NEGATIVE VALUES FOR EXPIRE TIME

aditya · aditya · commit 159be46cef76 · 2015-03-20T15:28:02.000+05:30
PROBLEM

Inside memcached server the expire time is stored as unsigned int,so when the
user gives a negative value it is converted to a large number and is accepted.

FIX

Simple and easy fix is to restrict the maximum value of expire time to INT_MAX32
since any negative value will be greater than this and we can reject it.

Also removed useless assert in  innodb_flush_sync_conn() function
diff --git a/plugin/innodb_memcached/daemon_memcached/daemon/memcached.c b/plugin/innodb_memcached/daemon_memcached/daemon/memcached.c
@@ -3,7 +3,7 @@
  *  memcached - memory caching daemon
  *
  *       http://www.danga.com/memcached/
- *
+ *  Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
  *  Copyright 2003 Danga Interactive, Inc.  All rights reserved.
  *
  *  Use and distribution licensed under the BSD license.  See
@@ -4247,6 +4247,13 @@ static void process_update_command(conn *c, token_t *tokens, const size_t ntoken
         return;
     }
 
+    /* Negative expire values not allowed */
+
+    if (exptime_int < 0) {
+        out_string(c, "CLIENT_ERROR Invalid expire time");
+        return;
+    }
+
     /* Ubuntu 8.04 breaks when I pass exptime to safe_strtol */
     exptime = exptime_int;
 
diff --git a/plugin/innodb_memcached/daemon_memcached/utilities/util.c b/plugin/innodb_memcached/daemon_memcached/utilities/util.c
@@ -1,3 +1,5 @@
+/*  Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. */
+
 #include "config.h"
 #include <stdio.h>
 #include <assert.h>
@@ -9,6 +11,8 @@
 
 #include "memcached/util.h"
 
+
+#define INT_MAX32 0x7fffffff
 /* Avoid warnings on solaris, where isspace() is an index into an array, and gcc uses signed chars */
 #define xisspace(c) isspace((unsigned char)c)
 
@@ -79,6 +83,7 @@ bool safe_strtoul(const char *str, uint32_t *out) {
     return false;
 }
 
+/*Function converts string into int */
 bool safe_strtol(const char *str, int32_t *out) {
     assert(out != NULL);
     errno = 0;
@@ -87,6 +92,10 @@ bool safe_strtol(const char *str, int32_t *out) {
     long l = strtol(str, &endptr, 10);
     if (errno == ERANGE)
         return false;
+
+    if (l > INT_MAX32)
+        return false;
+
     if (xisspace(*endptr) || (*endptr == '\0' && endptr != str)) {
         *out = l;
         return true;
diff --git a/plugin/innodb_memcached/innodb_memcache/src/innodb_engine.c b/plugin/innodb_memcached/innodb_memcache/src/innodb_engine.c
@@ -2027,7 +2027,6 @@ innodb_flush_sync_conn(
 
 	curr_conn_data = engine->server.cookie->get_engine_specific(cookie);
 	assert(curr_conn_data);
-	assert(!engine->enable_binlog || curr_conn_data->thd);
 
 	conn_data = UT_LIST_GET_FIRST(engine->conn_data);
 
