1) Run memcached 1.4.4 on RHEL6 and pass "-vv"
2) Send binary deletion requests.
memcached will print the key being deleted to stderr (file: memcached.c, function: process_bin_delete, ll. 2002 ff.):
if (settings.verbose > 1) {
fprintf(stderr, "Deleting %s\n", key);
}
Since the key is not NUL-terminated this may run off the end of the connexion object's read buffer and cause a seg-fault. Compare the code for printing the key elsewhere (file: memcached.c, function process_bin_update, ll. 1842 ff.):
if (settings.verbose > 1) {
int ii;
if (c->cmd == PROTOCOL_BINARY_CMD_ADD) {
fprintf(stderr, "<%d ADD ", c->sfd);
} else if (c->cmd == PROTOCOL_BINARY_CMD_SET) {
fprintf(stderr, "<%d SET ", c->sfd);
} else {
fprintf(stderr, "<%d REPLACE ", c->sfd);
}
for (ii = 0; ii < nkey; ++ii) {
fprintf(stderr, "%c", key[ii]);
}
fprintf(stderr, " Value len is %d", vlen);
fprintf(stderr, "\n");
}
Checked out the current master (9e09900770e79e4e621bdd274658dfa748404095), disabled setrlimit (RLIMIT_NOFILE, ...) 'cause it doesn't seem to play well with valgrind, compiled and installed it on my Debian Testing machine (build log attached).
Started it as follows:
$ valgrind --leak-check=full --malloc-fill=0xee --free-fill=0xff --trace-children=yes --log-file=$TMPDIR/memcached.vg.%p.log /usr/local/memcached-9e09900/bin/memcached -vv -p 2300 2>$TMPDIR/memcached.log &
[1] 19335
Attempted to remove two keys as follows:
$ memrm --servers localhost:2300 --binary ABCDEF xyz
memrm: ABCDEF: memcache error NOT FOUND
memrm: xyz: memcache error NOT FOUND
Valgrind and memcached logs are attached.
To summarize, the key is not NUL-terminated and the fprintf may run off the end of the end of the buffer.