Crash(SEGV) when running with conf/huge_mget or conf/set_big_values

[jefyt]

Description
Crash(SEGV) occurs when running mc-crusher with --conf ./conf/huge_mget or --conf ./conf/set_big_values. The rest of conf/* are fine.

Steps to Reproduce

1. Build and run official memcached-1.6.1. configure options used in my env is --disable-extstore --disable-tls --disable-seccomp --disable-sasl --disable-sasl-pwdb --disable-coverage --disable-docs
2. Execute ./mc-crusher --conf ./conf/huge_mget --ip MEMCACHED_IP. Result: SEGV
3. Execute ./mc-crusher --conf ./conf/set_big_values --ip MEMCACHED_IP. Result: SEGV

System Information

• OS/Distro: Ubuntu
• Version of OS/distro: 19.10
• Version of memcached: 1.6.1
• Hardware detail: VirtualBox

Details
Valgrind was executed after normal execution crash and below are the logs:

==3335== Memcheck, a memory error detector
==3335== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3335== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==3335== Command: ./mc-crusher --conf ./conf/set_big_values --ip 192.168.56.102
==3335==
ip address default: 192.168.56.102
id 0 for key send value ascii_set
id 1 for key recv value blind_read
id 5 for key conns value 1
id 8 for key key_prefix value foo
id 12 for key value_size value 1047552
id 26 for key key_prealloc value 0
id 20 for key key_count value 4000
done initializing
==3335== Thread 2:
==3335== Invalid write of size 2
==3335== at 0x4841B33: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3335== by 0x10B9A1: ascii_write_flat_to_client (mc-crusher.c:487)
==3335== by 0x10BB53: run_write (mc-crusher.c:543)
==3335== by 0x10BD33: client_handler (mc-crusher.c:583)
==3335== by 0x4875A10: ??? (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3335== by 0x487633E: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3335== by 0x10D346: thread_runner (mc-crusher.c:1063)
==3335== by 0x4C00668: start_thread (pthread_create.c:479)
==3335== by 0x4D3C322: clone (clone.S:95)
==3335== Address 0x4f2fc78 is 0 bytes after a block of size 66,952 alloc'd
==3335== at 0x483A7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3335== by 0x10BE9D: new_connection (mc-crusher.c:636)
==3335== by 0x10D29A: start_template (mc-crusher.c:1048)
==3335== by 0x10D1D4: parse_config_line (mc-crusher.c:1032)
==3335== by 0x10D9DB: main (mc-crusher.c:1181)
==3335==

==3243== Memcheck, a memory error detector
==3243== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==3243== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==3243== Command: ./mc-crusher --conf ./conf/huge_mget --ip 192.168.56.102
==3243==
ip address default: 192.168.56.102
id 0 for key send value ascii_mget
id 1 for key recv value blind_read
id 5 for key conns value 1
id 15 for key mget_count value 500000
id 8 for key key_prefix value foobar
id 26 for key key_prealloc value 1
done initializing==3243== Thread 2:
==3243== Invalid write of size 2
==3243== at 0x4841B33: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10B3AB: ascii_mget_format (mc-crusher.c:393)
==3243== by 0x10B461: ascii_write_flat_mget_to_client (mc-crusher.c:406)
==3243== by 0x10BB53: run_write (mc-crusher.c:543)
==3243== by 0x10BD33: client_handler (mc-crusher.c:583)
==3243== by 0x4875A10: ??? (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x487633E: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x10D346: thread_runner (mc-crusher.c:1063)
==3243== by 0x4C00668: start_thread (pthread_create.c:479)
==3243== by 0x4D3C322: clone (clone.S:95)
==3243== Address 0x4f2fc78 is 0 bytes after a block of size 66,952 alloc'd
==3243== at 0x483A7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10BE9D: new_connection (mc-crusher.c:636)
==3243== by 0x10D29A: start_template (mc-crusher.c:1048)
==3243== by 0x10D1D4: parse_config_line (mc-crusher.c:1032)
==3243== by 0x10D9DB: main (mc-crusher.c:1181)
==3243==
==3243== Invalid write of size 2
==3243== at 0x4841B33: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10DC5B: out2 (itoa_ljust.c:74)
==3243== by 0x10DE02: itoa (itoa_ljust.c:100)
==3243== by 0x10DF40: itoa_u32 (itoa_ljust.c:116)
==3243== by 0x10DFCF: itoa_u64 (itoa_ljust.c:132)
==3243== by 0x10B3D6: ascii_mget_format (mc-crusher.c:394)
==3243== by 0x10B461: ascii_write_flat_mget_to_client (mc-crusher.c:406)
==3243== by 0x10BB53: run_write (mc-crusher.c:543)
==3243== by 0x10BD33: client_handler (mc-crusher.c:583)
==3243== by 0x4875A10: ??? (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x487633E: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x10D346: thread_runner (mc-crusher.c:1063)
==3243== Address 0x4f2fc7a is 2 bytes after a block of size 66,952 alloc'd
==3243== at 0x483A7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10BE9D: new_connection (mc-crusher.c:636)
==3243== by 0x10D29A: start_template (mc-crusher.c:1048)
==3243== by 0x10D1D4: parse_config_line (mc-crusher.c:1032)
==3243== by 0x10D9DB: main (mc-crusher.c:1181)
==3243==
==3243== Invalid write of size 1
==3243== at 0x4841A48: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10DC5B: out2 (itoa_ljust.c:74)
==3243== by 0x10DE26: itoa (itoa_ljust.c:102)
==3243== by 0x10DF40: itoa_u32 (itoa_ljust.c:116)
==3243== by 0x10DFCF: itoa_u64 (itoa_ljust.c:132)
==3243== by 0x10B3D6: ascii_mget_format (mc-crusher.c:394)
==3243== by 0x10B461: ascii_write_flat_mget_to_client (mc-crusher.c:406)
==3243== by 0x10BB53: run_write (mc-crusher.c:543)
==3243== by 0x10BD33: client_handler (mc-crusher.c:583)
==3243== by 0x4875A10: ??? (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x487633E: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x10D346: thread_runner (mc-crusher.c:1063)
==3243== Address 0x4f2fc7c is 4 bytes after a block of size 66,952 alloc'd
==3243== at 0x483A7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10BE9D: new_connection (mc-crusher.c:636)
==3243== by 0x10D29A: start_template (mc-crusher.c:1048)
==3243== by 0x10D1D4: parse_config_line (mc-crusher.c:1032)
==3243== by 0x10D9DB: main (mc-crusher.c:1181)
==3243==
==3243== Invalid write of size 1
==3243== at 0x10DE2F: itoa (itoa_ljust.c:105)
==3243== by 0x10DF40: itoa_u32 (itoa_ljust.c:116)
==3243== by 0x10DFCF: itoa_u64 (itoa_ljust.c:132)
==3243== by 0x10B3D6: ascii_mget_format (mc-crusher.c:394)
==3243== by 0x10B461: ascii_write_flat_mget_to_client (mc-crusher.c:406)
==3243== by 0x10BB53: run_write (mc-crusher.c:543)
==3243== by 0x10BD33: client_handler (mc-crusher.c:583)
==3243== by 0x4875A10: ??? (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x487633E: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x10D346: thread_runner (mc-crusher.c:1063)
==3243== by 0x4C00668: start_thread (pthread_create.c:479)
==3243== by 0x4D3C322: clone (clone.S:95)
==3243== Address 0x4f2fc7e is 6 bytes after a block of size 66,952 alloc'd
==3243== at 0x483A7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10BE9D: new_connection (mc-crusher.c:636)
==3243== by 0x10D29A: start_template (mc-crusher.c:1048)
==3243== by 0x10D1D4: parse_config_line (mc-crusher.c:1032)
==3243== by 0x10D9DB: main (mc-crusher.c:1181)
==3243==
==3243== Invalid write of size 1
==3243== at 0x10B3DF: ascii_mget_format (mc-crusher.c:395)
==3243== by 0x10B461: ascii_write_flat_mget_to_client (mc-crusher.c:406)
==3243== by 0x10BB53: run_write (mc-crusher.c:543)
==3243== by 0x10BD33: client_handler (mc-crusher.c:583)
==3243== by 0x4875A10: ??? (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x487633E: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x10D346: thread_runner (mc-crusher.c:1063)
==3243== by 0x4C00668: start_thread (pthread_create.c:479)
==3243== by 0x4D3C322: clone (clone.S:95)
==3243== Address 0x4f2fc7e is 6 bytes after a block of size 66,952 alloc'd
==3243== at 0x483A7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10BE9D: new_connection (mc-crusher.c:636)
==3243== by 0x10D29A: start_template (mc-crusher.c:1048)
==3243== by 0x10D1D4: parse_config_line (mc-crusher.c:1032)
==3243== by 0x10D9DB: main (mc-crusher.c:1181)
==3243==
==3243== Invalid write of size 1
==3243== at 0x4841B63: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10B3AB: ascii_mget_format (mc-crusher.c:393)
==3243== by 0x10B461: ascii_write_flat_mget_to_client (mc-crusher.c:406)
==3243== by 0x10BB53: run_write (mc-crusher.c:543)
==3243== by 0x10BD33: client_handler (mc-crusher.c:583)
==3243== by 0x4875A10: ??? (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x487633E: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x10D346: thread_runner (mc-crusher.c:1063)
==3243== by 0x4C00668: start_thread (pthread_create.c:479)
==3243== by 0x4D3C322: clone (clone.S:95)
==3243== Address 0x4f2fc7f is 7 bytes after a block of size 66,952 alloc'd
==3243== at 0x483A7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10BE9D: new_connection (mc-crusher.c:636)
==3243== by 0x10D29A: start_template (mc-crusher.c:1048)
==3243== by 0x10D1D4: parse_config_line (mc-crusher.c:1032)
==3243== by 0x10D9DB: main (mc-crusher.c:1181)
==3243==
==3243== Invalid write of size 1
==3243== at 0x4841B63: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10DC5B: out2 (itoa_ljust.c:74)
==3243== by 0x10DE02: itoa (itoa_ljust.c:100)
==3243== by 0x10DF40: itoa_u32 (itoa_ljust.c:116)
==3243== by 0x10DFCF: itoa_u64 (itoa_ljust.c:132)
==3243== by 0x10B3D6: ascii_mget_format (mc-crusher.c:394)
==3243== by 0x10B461: ascii_write_flat_mget_to_client (mc-crusher.c:406)
==3243== by 0x10BB53: run_write (mc-crusher.c:543)
==3243== by 0x10BD33: client_handler (mc-crusher.c:583)
==3243== by 0x4875A10: ??? (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x487633E: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x10D346: thread_runner (mc-crusher.c:1063)
==3243== Address 0x4f2fc85 is 13 bytes after a block of size 66,952 alloc'd
==3243== at 0x483A7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10BE9D: new_connection (mc-crusher.c:636)
==3243== by 0x10D29A: start_template (mc-crusher.c:1048)
==3243== by 0x10D1D4: parse_config_line (mc-crusher.c:1032)
==3243== by 0x10D9DB: main (mc-crusher.c:1181)
==3243==
==3243== Invalid write of size 1
==3243== at 0x4841B63: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10DC5B: out2 (itoa_ljust.c:74)
==3243== by 0x10DE26: itoa (itoa_ljust.c:102)
==3243== by 0x10DF40: itoa_u32 (itoa_ljust.c:116)
==3243== by 0x10DFCF: itoa_u64 (itoa_ljust.c:132)
==3243== by 0x10B3D6: ascii_mget_format (mc-crusher.c:394)
==3243== by 0x10B461: ascii_write_flat_mget_to_client (mc-crusher.c:406)
==3243== by 0x10BB53: run_write (mc-crusher.c:543)
==3243== by 0x10BD33: client_handler (mc-crusher.c:583)
==3243== by 0x4875A10: ??? (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x487633E: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x10D346: thread_runner (mc-crusher.c:1063)
==3243== Address 0x4f2fc87 is 15 bytes after a block of size 66,952 alloc'd
==3243== at 0x483A7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10BE9D: new_connection (mc-crusher.c:636)
==3243== by 0x10D29A: start_template (mc-crusher.c:1048)
==3243== by 0x10D1D4: parse_config_line (mc-crusher.c:1032)
==3243== by 0x10D9DB: main (mc-crusher.c:1181)
==3243==
==3243== Invalid write of size 2
==3243== at 0x4841B33: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10DC5B: out2 (itoa_ljust.c:74)
==3243== by 0x10DE26: itoa (itoa_ljust.c:102)
==3243== by 0x10DF40: itoa_u32 (itoa_ljust.c:116)
==3243== by 0x10DFCF: itoa_u64 (itoa_ljust.c:132)
==3243== by 0x10B3D6: ascii_mget_format (mc-crusher.c:394)
==3243== by 0x10B461: ascii_write_flat_mget_to_client (mc-crusher.c:406)
==3243== by 0x10BB53: run_write (mc-crusher.c:543)
==3243== by 0x10BD33: client_handler (mc-crusher.c:583)
==3243== by 0x4875A10: ??? (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x487633E: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x10D346: thread_runner (mc-crusher.c:1063)
==3243== Address 0x4f2fc92 is 18 bytes after a block of size 66,960 in arena "client"
==3243==
==3243== Invalid write of size 1
==3243== at 0x4841A48: memmove (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x10DC5B: out2 (itoa_ljust.c:74)
==3243== by 0x10DE02: itoa (itoa_ljust.c:100)
==3243== by 0x10DF40: itoa_u32 (itoa_ljust.c:116)
==3243== by 0x10DFCF: itoa_u64 (itoa_ljust.c:132)
==3243== by 0x10B3D6: ascii_mget_format (mc-crusher.c:394)
==3243== by 0x10B461: ascii_write_flat_mget_to_client (mc-crusher.c:406)
==3243== by 0x10BB53: run_write (mc-crusher.c:543)
==3243== by 0x10BD33: client_handler (mc-crusher.c:583)
==3243== by 0x4875A10: ??? (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x487633E: event_base_loop (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x10D346: thread_runner (mc-crusher.c:1063)
==3243== Address 0x4f2ff92 is 2 bytes after a block of size 16 alloc'd
==3243== at 0x483CD99: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==3243== by 0x4878F02: evmap_io_add_ (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x48740CD: event_add_nolock_ (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x48745A9: event_add (in /usr/lib/x86_64-linux-gnu/libevent-2.1.so.6.0.2)
==3243== by 0x10C4E2: new_connection (mc-crusher.c:767)
==3243== by 0x10D29A: start_template (mc-crusher.c:1048)
==3243== by 0x10D1D4: parse_config_line (mc-crusher.c:1032)
==3243== by 0x10D9DB: main (mc-crusher.c:1181)
==3243==

[dormando]

Thanks! I don't always use the included conf files, so I can see how that snuck in. I've rewritten most of the parsing recently. You can make them work by editing the conf files and detuning them a bit.

[thatsafunnyname]

Thanks for mc-crusher.

I also observed this behaviour while running mc-crusher built from the master branch.
My quick fix was to increase the size of the wbuf array in the connection struct (from 64k to 1m), and warn/error when value_size is too large.

Issue - valgrind "Invalid write of size 2" for mc-crusher/conf/set_big_values

I am running on AlmaLinux release 8.8, running memcached-1.5.22-2.el8 with memcached -p 54321.

cat conf/set_big_values send=ascii_set,recv=blind_read,conns=1,key_prefix=foo,value_size=1047552,key_prealloc=0,key_count=4000

valgrind mc-crusher --conf conf/set_big_values --ip 127.0.0.1 --port 54321
 
ip address default: 127.0.0.1
port default: 54321
id 0 for key send value ascii_set
id 1 for key recv value blind_read
id 5 for key conns value 1
id 8 for key key_prefix value foo
id 12 for key value_size value 1047552
id 26 for key key_prealloc value 0
id 20 for key key_count value 4000
done initializing
==1619176== Thread 2:
==1619176== Invalid write of size 2
==1619176==    at 0x4C42303: memmove (vg_replace_strmem.c:1382)
==1619176==    by 0x40379B: ascii_write_flat_to_client (mc-crusher.c:487)
==1619176==    by 0x4038DD: run_write (mc-crusher.c:543)
==1619176==    by 0x4038DD: client_handler (mc-crusher.c:583)
==1619176==    by 0x4E6CD84: ??? (in /usr/lib64/libevent-2.1.so.6.0.2)
==1619176==    by 0x4E6D786: event_base_loop (in /usr/lib64/libevent-2.1.so.6.0.2)
==1619176==    by 0x40286E: thread_runner (mc-crusher.c:1063)
==1619176==    by 0x542B1C9: start_thread (in /usr/lib64/libpthread-2.28.so)
==1619176==    by 0x567CE72: clone (in /usr/lib64/libc-2.28.so)
==1619176==  Address 0x6431c78 is 0 bytes after a block of size 66,952 alloc'd
==1619176==    at 0x4C38135: malloc (vg_replace_malloc.c:381)
==1619176==    by 0x4020DF: new_connection (mc-crusher.c:636)
==1619176==    by 0x402AB7: start_template (mc-crusher.c:1048)
==1619176==    by 0x403264: parse_config_line (mc-crusher.c:1032)
==1619176==    by 0x4018CC: main (mc-crusher.c:1181)
==1619176==

valgrind: m_mallocfree.c:305 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
valgrind: Heap block lo/hi size mismatch: lo = 67024, hi = 0.
This is probably caused by your program erroneously writing past the
end of a heap block and corrupting heap metadata.  If you fix any
invalid writes reported by Memcheck, this assertion failure will
probably go away.  Please try that before reporting this as a bug.
 
Thread 2: status = VgTs_Runnable (lwpid 1619215)
==1619176==    at 0x403729: ascii_write_flat_to_client (mc-crusher.c:492)
==1619176==    by 0x4038DD: run_write (mc-crusher.c:543)
==1619176==    by 0x4038DD: client_handler (mc-crusher.c:583)
==1619176==    by 0x4E6CD84: ??? (in /usr/lib64/libevent-2.1.so.6.0.2)
==1619176==    by 0x4E6D786: event_base_loop (in /usr/lib64/libevent-2.1.so.6.0.2)
==1619176==    by 0x40286E: thread_runner (mc-crusher.c:1063)
==1619176==    by 0x542B1C9: start_thread (in /usr/lib64/libpthread-2.28.so)
==1619176==    by 0x567CE72: clone (in /usr/lib64/libc-2.28.so)
client stack range: [0x670F000 0x6F0DFFF] client SP: 0x6F0DD90
valgrind stack range: [0x1005177000 0x1005276FFF] top usage: 4712 of 1048576

Quick fix:

 diff -du mc-crusher.c.orig mc-crusher.c
--- mc-crusher.c.orig   2024-01-11 07:14:50.503044000 -0500
+++ mc-crusher.c        2024-01-11 08:11:28.261566000 -0500
@@ -53,6 +53,8 @@

 #define SHARED_RBUF_SIZE 1024 * 64
 #define SHARED_VALUE_SIZE 1024 * 1024
+// big enough for conf/set_big_values and below valgrind max-stackframe
+#define WBUF_SIZE 1024 * 1024
 // avoiding some hacks for finding member size.
 #define SOCK_MAX 100

@@ -152,7 +154,7 @@
     int (*ascii_format)(struct connection *c);
     int (*bin_format)(struct connection *c);
     int (*bin_prep_cmd)(struct connection *c);
-    unsigned char wbuf[65536]; // putting this at the end to get more of the above into fewer cachelines.
+    unsigned char wbuf[WBUF_SIZE]; // putting this at the end to get more of the above into fewer cachelines.
 };

 static void client_handler(const int fd, const short which, void *arg);
@@ -915,6 +917,13 @@
             break;
         case VALUE_SIZE:
             template.value_size = atoi(value);
+            if(template.value_size > WBUF_SIZE){
+                fprintf(stderr, "Error, value_size (%i) too large, WBUF_SIZE is %i\n", template.value_size, WBUF_SIZE);
+                exit(-1);
+            }
+            if( (template.value_size + 1024) > WBUF_SIZE){ // allow 1024 bytes for command, key and metadata
+                fprintf(stderr, "Warning, value_size (%i + 1024) may be too large, WBUF_SIZE is %i\n", template.value_size, WBUF_SIZE);
+            }
             break;
         case VALUE:
             strcpy(template.s->value, value);