Unrated severityNVD Advisory· Published Apr 12, 2010· Updated Apr 29, 2026
CVE-2010-1152
CVE-2010-1152
Description
memcached.c in memcached before 1.4.3 allows remote attackers to cause a denial of service (daemon hang or crash) via a long line that triggers excessive memory allocation. NOTE: some of these details are obtained from third party information.
Affected products
21cpe:2.3:a:memcachedb:memcached:*:*:*:*:*:*:*:*+ 20 more
- cpe:2.3:a:memcachedb:memcached:*:*:*:*:*:*:*:*range: <=1.4.2
- cpe:2.3:a:memcachedb:memcached:0.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:0.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:0.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:0.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:0.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:1.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:1.0.1:beta:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:1.0.2:beta:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:1.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:1.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:1.1.0:beta:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:1.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:1.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:1.2.0:beta:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:1.2.1:beta:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:1.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:1.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:memcachedb:memcached:1.4.1:*:*:*:*:*:*:*
Patches
2d9cd01ede97fUse strncmp when checking for large ascii multigets.
1 file changed · +3 −1
memcached.c+3 −1 modified@@ -3148,7 +3148,9 @@ static int try_read_command(conn *c) { ++ptr; } - if (strcmp(ptr, "get ") && strcmp(ptr, "gets ")) { + if (ptr - c->rcurr > 100 || + (strncmp(ptr, "get ", 4) && strncmp(ptr, "gets ", 5))) { + conn_set_state(c, conn_closing); return 1; }
75cc83685e10Issue 102: Piping null to the server will crash it
2 files changed · +46 −2
memcached.c+29 −2 modified@@ -3127,9 +3127,27 @@ static int try_read_command(conn *c) { if (c->rbytes == 0) return 0; + el = memchr(c->rcurr, '\n', c->rbytes); - if (!el) + if (!el) { + if (c->rbytes > 1024) { + /* + * We didn't have a '\n' in the first k. This _has_ to be a + * large multiget, if not we should just nuke the connection. + */ + char *ptr = c->rcurr; + while (*ptr == ' ') { /* ignore leading whitespaces */ + ++ptr; + } + + if (strcmp(ptr, "get ") && strcmp(ptr, "gets ")) { + conn_set_state(c, conn_closing); + return 1; + } + } + return 0; + } cont = el + 1; if ((el - c->rcurr) > 1 && *(el - 1) == '\r') { el--; @@ -3191,12 +3209,17 @@ static enum try_read_result try_read_udp(conn *c) { * close. * before reading, move the remaining incomplete fragment of a command * (if any) to the beginning of the buffer. + * + * To protect us from someone flooding a connection with bogus data causing + * the connection to eat up all available memory, break out and start looking + * at the data I've got after a number of reallocs... + * * @return enum try_read_result */ static enum try_read_result try_read_network(conn *c) { enum try_read_result gotdata = READ_NO_DATA_RECEIVED; int res; - + int num_allocs = 0; assert(c != NULL); if (c->rcurr != c->rbuf) { @@ -3207,6 +3230,10 @@ static enum try_read_result try_read_network(conn *c) { while (1) { if (c->rbytes >= c->rsize) { + if (num_allocs == 4) { + return gotdata; + } + ++num_allocs; char *new_rbuf = realloc(c->rbuf, c->rsize * 2); if (!new_rbuf) { if (settings.verbose > 0)
testapp.c+17 −0 modified@@ -538,6 +538,22 @@ static enum test_return test_issue_92(void) { return TEST_PASS; } +static enum test_return test_issue_102(void) { + char buffer[4096]; + memset(buffer, ' ', sizeof(buffer)); + buffer[sizeof(buffer) - 1] = '\0'; + + close(sock); + sock = connect_server("127.0.0.1", port, false); + + send_ascii_command(buffer); + /* verify that the server closed the connection */ + assert(read(sock, buffer, sizeof(buffer)) == 0); + close(sock); + sock = connect_server("127.0.0.1", port, false); + return TEST_PASS; +} + static enum test_return start_memcached_server(void) { server_pid = start_server(&port, false, 600); sock = connect_server("127.0.0.1", port, false); @@ -1676,6 +1692,7 @@ struct testcase testcases[] = { /* The following tests all run towards the same server */ { "start_server", start_memcached_server }, { "issue_92", test_issue_92 }, + { "issue_102", test_issue_102 }, { "binary_noop", test_binary_noop }, { "binary_quit", test_binary_quit }, { "binary_quitq", test_binary_quitq },
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
12- github.com/memcached/memcached/commit/75cc83685e103bc8ba380a57468c8f04413033f9nvdPatch
- github.com/memcached/memcached/commit/d9cd01ede97f4145af9781d448c62a3318952719nvdPatch
- marc.infonvdPatch
- marc.infonvdPatch
- marc.infonvdPatch
- code.google.com/p/memcached/issues/detailnvdExploit
- secunia.com/advisories/39306nvdVendor Advisory
- blogs.sun.com/security/entry/input_validation_vulnerability_in_memcachednvd
- lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlnvd
- securitytracker.com/idnvd
- www.vupen.com/english/advisories/2011/0442nvd
News mentions
0No linked articles in our index yet.