From 8a06a059d8b0d4c5ecaabf7e348ffdc929c42496 Mon Sep 17 00:00:00 2001
From: yanshuai01 <yanshuai01@kylinos.cn>
Date: Thu, 6 Jun 2024 15:58:26 +0800
Subject: [PATCH] fix use-after-free for text multigets

---
 fix-use-after-free-for-text-multigets.patch | 35 +++++++++++++++++++++
 memcached.spec                              |  7 ++++-
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 fix-use-after-free-for-text-multigets.patch

diff --git a/fix-use-after-free-for-text-multigets.patch b/fix-use-after-free-for-text-multigets.patch
new file mode 100644
index 0000000..5561511
--- /dev/null
+++ b/fix-use-after-free-for-text-multigets.patch
@@ -0,0 +1,35 @@
+From 7af02b0c875a36c61875a332dda582375014cf44 Mon Sep 17 00:00:00 2001
+From: dormando <dormando@rydia.net>
+Date: Tue, 11 Jan 2022 23:46:32 -0800
+Subject: [PATCH] core: fix use-after-free for text multigets
+
+Reported in #849 - this fixes copying a read buffer after freeing the
+original read buffer.
+
+This didn't matter for years since the cache code didn't touch the
+buffer, but recently it can reuse the first 8 bytes as a pointer to the
+internal freelist. Thus in some situations where large reads happen the
+command can get corrupted, returning an unhelpful "ERROR" to the end
+user.
+
+---
+ memcached.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/memcached.c b/memcached.c
+index 8bbdccd..2b68ca6 100644
+--- a/memcached.c
++++ b/memcached.c
+@@ -440,8 +440,8 @@ bool rbuf_switch_to_malloc(conn *c) {
+     if (!tmp)
+         return false;
+ 
+-    do_cache_free(c->thread->rbuf_cache, c->rbuf);
+     memcpy(tmp, c->rcurr, c->rbytes);
++    do_cache_free(c->thread->rbuf_cache, c->rbuf);
+ 
+     c->rcurr = c->rbuf = tmp;
+     c->rsize = size;
+-- 
+2.27.0
+
diff --git a/memcached.spec b/memcached.spec
index 9c7163d..3d53f2a 100644
--- a/memcached.spec
+++ b/memcached.spec
@@ -7,7 +7,7 @@
 
 Name:          memcached
 Version:       1.6.12
-Release:       3
+Release:       4
 Epoch:         0
 Summary:       A high-performance, distributed memory object caching system
 License:       GPL-2.0+
@@ -18,6 +18,7 @@ Source2:       memcached.sysconfig
 
 Patch0001:     memcached-unit.patch
 Patch0002:     fix-meta-delete.patch
+Patch0003:     fix-use-after-free-for-text-multigets.patch
 
 BuildRequires: systemd perl-generators perl(Test::More) perl(Test::Harness)
 BuildRequires: selinux-policy-devel libevent-devel make gcc
@@ -64,6 +65,7 @@ optimised for use with this version of memcached.
 %setup -q -b 1
 %patch1 -p1 -b .unit
 %patch2 -p1 -b .delete
+%patch3 -p1 -b .multigets
 
 %build
 %configure \
@@ -146,6 +148,9 @@ fi
 %{_mandir}/man1/memcached.1*
 
 %changelog
+* Thu Jun 06 2024 yanshuai <yanshuai01@kylinos.cn> - 0:1.6.12-4
+- core: fix use-after-free for text multigets
+
 * Fri May 31 2024 yanshuai <yanshuai01@kylinos.cn> - 0:1.6.12-3
 - meta: fix meta delete
 
-- 
Gitee