Details
Description
If buf_to_printable_buffer() is passed a source buf which is larger than
dest buf, it attempts to only process as many bytes as will fit in the
destination. However there is an off-by-one error when writing the
trailing \0 which causes it to overwrite the end of the destination
buffer.
Identified during testing of some long sub-document mutation paths.
Note this code is only executed if memcached's verbosity is set to '2' or higher (default in production is 1), hence the fact that we've not (to my knowledge) seen any production issues.
Attachments
Issue Links
- blocks
-
MB-17211 4.1.1 Minor Release
-
- Closed
-
| For Gerrit Dashboard: MB-17891 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 59390,4 | MB-17891: Correct off-by-one error in buf_to_printable_buffer() | master | memcached | Status: MERGED | +2 | +1 |
| 59649,2 | MB-17891: Correct off-by-one error in buf_to_printable_buffer() | sherlock | memcached | Status: MERGED | -1 | +1 |
| 62152,2 | MB-17891: Actually fix off-by-one-error in buf_to_printable_buffer() | watson | memcached | Status: MERGED | +2 | +1 |
| 62162,2 | Merge remote-tracking branch 'couchbase/watson' into couchbase/master | master | memcached | Status: MERGED | +2 | +1 |