Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP5:Update
redis7.30607
CVE-2023-36824.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-36824.patch of Package redis7.30607
From bd1dac0c6e9b76d0e6439bc74ee83552edcd0d79 Mon Sep 17 00:00:00 2001 From: Lior Lahav <118261070+llahav-amzn@users.noreply.github.com> Date: Mon, 3 Jul 2023 12:45:18 +0300 Subject: [PATCH] Fix possible crash in command getkeys (#12380) When getKeysUsingKeySpecs processes a command with more than one key-spec, and called with a total of more than 256 keys, it'll call getKeysPrepareResult again, but since numkeys isn't updated, getKeysPrepareResult will not bother to copy key names from the old result (leaving these slots uninitialized). Furthermore, it did not consider the keys it already found when allocating more space. Co-authored-by: Oran Agra <oran@redislabs.com> (cherry picked from commit b7559d9f3b5e6ebb3fe3ad4570e3313ccaffa89e) --- src/db.c | 13 +++++++------ tests/unit/introspection-2.tcl | 15 +++++++++++++++ 2 files changed, 22 insertions(+), 6 deletions(-) diff --git a/src/db.c b/src/db.c index 0478fb55f5e4..d07267c315ff 100644 --- a/src/db.c +++ b/src/db.c @@ -1770,8 +1770,9 @@ int64_t getAllKeySpecsFlags(struct redisCommand *cmd, int inv) { * found in other valid keyspecs. */ int getKeysUsingKeySpecs(struct redisCommand *cmd, robj **argv, int argc, int search_flags, getKeysResult *result) { - int j, i, k = 0, last, first, step; + int j, i, last, first, step; keyReference *keys; + result->numkeys = 0; for (j = 0; j < cmd->key_specs_num; j++) { keySpec *spec = cmd->key_specs + j; @@ -1836,7 +1837,7 @@ int getKeysUsingKeySpecs(struct redisCommand *cmd, robj **argv, int argc, int se } int count = ((last - first)+1); - keys = getKeysPrepareResult(result, count); + keys = getKeysPrepareResult(result, result->numkeys + count); /* First or last is out of bounds, which indicates a syntax error */ if (last >= argc || last < first || first >= argc) { @@ -1857,8 +1858,9 @@ int getKeysUsingKeySpecs(struct redisCommand *cmd, robj **argv, int argc, int se serverPanic("Redis built-in command declared keys positions not matching the arity requirements."); } } - keys[k].pos = i; - keys[k++].flags = spec->flags; + keys[result->numkeys].pos = i; + keys[result->numkeys].flags = spec->flags; + result->numkeys++; } /* Handle incomplete specs (only after we added the current spec @@ -1879,8 +1881,7 @@ int getKeysUsingKeySpecs(struct redisCommand *cmd, robj **argv, int argc, int se } } - result->numkeys = k; - return k; + return result->numkeys; } /* Return all the arguments that are keys in the command passed via argc / argv. diff --git a/tests/unit/introspection-2.tcl b/tests/unit/introspection-2.tcl index dab8008e89f0..116ae0b058b3 100644 --- a/tests/unit/introspection-2.tcl +++ b/tests/unit/introspection-2.tcl @@ -117,6 +117,21 @@ start_server {tags {"introspection"}} { assert_equal {key1 key2} [r command getkeys lcs key1 key2] } + test {COMMAND GETKEYS MORE THAN 256 KEYS} { + set all_keys [list] + set numkeys 260 + for {set i 1} {$i <= $numkeys} {incr i} { + lappend all_keys "key$i" + } + set all_keys_with_target [linsert $all_keys 0 target] + # we are using ZUNIONSTORE command since in order to reproduce allocation of a new buffer in getKeysPrepareResult + # when numkeys in result > 0 + # we need a command that the final number of keys is not known in the first call to getKeysPrepareResult + # before the fix in that case data of old buffer was not copied to the new result buffer + # causing all previous keys (numkeys) data to be uninitialize + assert_equal $all_keys_with_target [r command getkeys ZUNIONSTORE target $numkeys {*}$all_keys] + } + test "COMMAND LIST syntax error" { assert_error "ERR syntax error*" {r command list bad_arg} assert_error "ERR syntax error*" {r command list filterby bad_arg}
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor