File CVE-2023-28425.patch of Package redis7

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2023-28425.patch of Package redis7

From 6956d15b776e72f7274b516224e930f2c957bac3 Mon Sep 17 00:00:00 2001
From: Oran Agra <oran@redislabs.com>
Date: Mon, 20 Mar 2023 14:42:07 +0200
Subject: [PATCH] Avoid assertion when MSETNX is used with the same key twice
 (CVE-2023-28425)

Using the same key twice in MSETNX command would trigger an assertion.

This reverts #11594 (introduced in Redis 7.0.8)
---
 src/t_string.c             | 4 +---
 tests/unit/type/string.tcl | 9 +++++++++
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/t_string.c b/src/t_string.c
index af58d7d5478c..4659e18610df 100644
--- a/src/t_string.c
+++ b/src/t_string.c
@@ -561,7 +561,6 @@ void mgetCommand(client *c) {
 
 void msetGenericCommand(client *c, int nx) {
     int j;
-    int setkey_flags = 0;
 
     if ((c->argc % 2) == 0) {
         addReplyErrorArity(c);
@@ -577,12 +576,11 @@ void msetGenericCommand(client *c, int nx) {
                 return;
             }
         }
-        setkey_flags |= SETKEY_DOESNT_EXIST;
     }
 
     for (j = 1; j < c->argc; j += 2) {
         c->argv[j+1] = tryObjectEncoding(c->argv[j+1]);
-        setKey(c, c->db, c->argv[j], c->argv[j + 1], setkey_flags);
+        setKey(c, c->db, c->argv[j], c->argv[j + 1], 0);
         notifyKeyspaceEvent(NOTIFY_STRING,"set",c->argv[j],c->db->id);
     }
     server.dirty += (c->argc-1)/2;
diff --git a/tests/unit/type/string.tcl b/tests/unit/type/string.tcl
index f32f72368a4e..c535da953977 100644
--- a/tests/unit/type/string.tcl
+++ b/tests/unit/type/string.tcl
@@ -234,6 +234,15 @@ start_server {tags {"string"}} {
         list [r msetnx x1{t} xxx y2{t} yyy] [r get x1{t}] [r get y2{t}]
     } {1 xxx yyy}
 
+    test {MSETNX with not existing keys - same key twice} {
+        r del x1{t}
+        list [r msetnx x1{t} xxx x1{t} yyy] [r get x1{t}]
+    } {1 yyy}
+
+    test {MSETNX with already existing keys - same key twice} {
+        list [r msetnx x1{t} xxx x1{t} zzz] [r get x1{t}]
+    } {0 yyy}
+
     test "STRLEN against non-existing key" {
         assert_equal 0 [r strlen notakey]
     }

Places

File CVE-2023-28425.patch of Package redis7

Places