Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
Please login to access the resource
openSUSE:Leap:15.5:Update
redis7.29845
CVE-2023-25155.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2023-25155.patch of Package redis7.29845
From 2a2a582e7cd99ba3b531336b8bd41df2b566e619 Mon Sep 17 00:00:00 2001 From: Oran Agra <oran@redislabs.com> Date: Tue, 21 Feb 2023 15:16:13 +0200 Subject: [PATCH] Integer Overflow in RAND commands can lead to assertion (CVE-2023-25155) Issue happens when passing a negative long value that greater than the max positive value that the long can store. --- src/t_hash.c | 4 ++-- src/t_set.c | 2 +- src/t_zset.c | 4 ++-- tests/unit/type/hash.tcl | 2 ++ tests/unit/type/set.tcl | 5 +++++ tests/unit/type/zset.tcl | 2 ++ 6 files changed, 14 insertions(+), 5 deletions(-) diff --git a/src/t_hash.c b/src/t_hash.c index 754315080d57..f4ddccc62134 100644 --- a/src/t_hash.c +++ b/src/t_hash.c @@ -1120,13 +1120,13 @@ void hrandfieldCommand(client *c) { listpackEntry ele; if (c->argc >= 3) { - if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return; + if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return; if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withvalues"))) { addReplyErrorObject(c,shared.syntaxerr); return; } else if (c->argc == 4) { withvalues = 1; - if (l < LONG_MIN/2 || l > LONG_MAX/2) { + if (l < -LONG_MAX/2 || l > LONG_MAX/2) { addReplyError(c,"value is out of range"); return; } diff --git a/src/t_set.c b/src/t_set.c index b01729f0a6b0..dff66d05273d 100644 --- a/src/t_set.c +++ b/src/t_set.c @@ -665,7 +665,7 @@ void srandmemberWithCountCommand(client *c) { dict *d; - if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return; + if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return; if (l >= 0) { count = (unsigned long) l; } else { diff --git a/src/t_zset.c b/src/t_zset.c index 3cd2d24381cc..a9b5031ea328 100644 --- a/src/t_zset.c +++ b/src/t_zset.c @@ -4289,13 +4289,13 @@ void zrandmemberCommand(client *c) { listpackEntry ele; if (c->argc >= 3) { - if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return; + if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return; if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withscores"))) { addReplyErrorObject(c,shared.syntaxerr); return; } else if (c->argc == 4) { withscores = 1; - if (l < LONG_MIN/2 || l > LONG_MAX/2) { + if (l < -LONG_MAX/2 || l > LONG_MAX/2) { addReplyError(c,"value is out of range"); return; } diff --git a/tests/unit/type/hash.tcl b/tests/unit/type/hash.tcl index fcb42e81e4ed..4edb146ed5da 100644 --- a/tests/unit/type/hash.tcl +++ b/tests/unit/type/hash.tcl @@ -74,6 +74,8 @@ start_server {tags {"hash"}} { test "HRANDFIELD count overflow" { r hmset myhash a 1 assert_error {*value is out of range*} {r hrandfield myhash -9223372036854770000 withvalues} + assert_error {*value is out of range*} {r hrandfield myhash -9223372036854775808 withvalues} + assert_error {*value is out of range*} {r hrandfield myhash -9223372036854775808} } {} test "HRANDFIELD with <count> against non existing key" { diff --git a/tests/unit/type/set.tcl b/tests/unit/type/set.tcl index 30b6dc5d74df..5257dccea37b 100644 --- a/tests/unit/type/set.tcl +++ b/tests/unit/type/set.tcl @@ -645,6 +645,11 @@ start_server { r srandmember nonexisting_key 100 } {} + test "SRANDMEMBER count overflow" { + r sadd myset a + assert_error {*value is out of range*} {r srandmember myset -9223372036854775808} + } {} + # Make sure we can distinguish between an empty array and a null response r readraw 1 diff --git a/tests/unit/type/zset.tcl b/tests/unit/type/zset.tcl index a758aee46456..88c0bcb43992 100644 --- a/tests/unit/type/zset.tcl +++ b/tests/unit/type/zset.tcl @@ -2303,6 +2303,8 @@ start_server {tags {"zset"}} { test "ZRANDMEMBER count overflow" { r zadd myzset 0 a assert_error {*value is out of range*} {r zrandmember myzset -9223372036854770000 withscores} + assert_error {*value is out of range*} {r zrandmember myzset -9223372036854775808 withscores} + assert_error {*value is out of range*} {r zrandmember myzset -9223372036854775808} } {} # Make sure we can distinguish between an empty array and a null response
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor