back to article Memcached has a crash-me bug, but hey, only about 83,000 public-facing servers appear to be running it

An annoying security flaw been disclosed and promptly fixed in the fairly popular memcached distributed data-caching software. On Monday morning a netizen with the handle IceJi publicly revealed the presence of that could be exploited to crash the software: specifically, the flaw is a buffer-overflow in the binary protocol …

  1. A Non e-mouse Silver badge

    It seems 1.6 is the bleeding edge for Memcached so I'd have thought fewer people would be affected.

    1. Anonymous Coward
      Anonymous Coward

      Not in this devops, CI/CD containerised world, where the latest shiny is preferred.

      1. Anonymous Coward
        Anonymous Coward

        preferred? I would have said 'demanded'.

  2. Anonymous Coward
    Anonymous Coward

    Article heading says "{* SECURITY *}".....but.....

    .....what happened to "{* TESTING *}" ???

    *

    Ah.....sorry....forgot about Scrum, Agile, DevOps......."Testing" is so last century!

  3. Michael Wojcik Silver badge

    Typical

    Tainted data used as the length argument to memcpy. That's not even a mistake; it's laziness, pure and simple.

    Of course even in this code snippet we have C code written by someone who doesn't know that sizeof is an operator, not a function, and its argument does not need to be parenthesized unless it's a type name.

    Most developers simply don't have the discipline to write in C.

    And an unconstrained overflow of an automatic-storage-class1 very likely is an RCE vulnerability on popular platforms. It's the classic RCE, going back to Levi and to Morris before him.

    1"Stack", though C does not require a traditional contiguous stack, and the language does not use that term.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020