$OpenBSD: patch-memcached_c,v 1.8 2014/01/05 13:32:43 jasper Exp $

buffer-overrun when logging keys (CVE-2013-0179)
https://github.com/memcached/memcached/commit/fbe823d9a61b5149cd6e3b5e17bd28dd3b8dd760

and fix segfault on specially crafted packet (CVE-2011-4971)
https://github.com/memcached/memcached/commit/6695ccbc525c36d693aaa3e8337b36aa0c784424

--- memcached.c.orig	Mon Jul 30 22:26:47 2012
+++ memcached.c	Thu Jan  2 16:59:32 2014
@@ -2149,7 +2149,12 @@ static void process_bin_delete(conn *c) {
     assert(c != NULL);
 
     if (settings.verbose > 1) {
-        fprintf(stderr, "Deleting %s\n", key);
+        int ii;
+        fprintf(stderr, "Deleting ");
+        for (ii = 0; ii < nkey; ++ii) {
+            fprintf(stderr, "%c", key[ii]);
+        }
+        fprintf(stderr, "\n");
     }
 
     if (settings.detail_enabled) {
@@ -3863,6 +3868,16 @@ static void drive_machine(conn *c) {
                 complete_nread(c);
                 break;
             }
+
+            /* Check if rbytes < 0, to prevent crash */
+            if (c->rlbytes < 0) {
+                if (settings.verbose) {
+                    fprintf(stderr, "Invalid rlbytes to read: len %d\n", c->rlbytes);
+                }
+                conn_set_state(c, conn_closing);
+                break;
+            }
+
             /* first check if we have leftovers in the conn_read buffer */
             if (c->rbytes > 0) {
                 int tocopy = c->rbytes > c->rlbytes ? c->rlbytes : c->rbytes;
