92 lines
3.1 KiB
Diff
92 lines
3.1 KiB
Diff
Backported for 6.0.9
|
|
|
|
|
|
From c992857618db99776917f10bf4f2345a5fdc78b0 Mon Sep 17 00:00:00 2001
|
|
From: Yossi Gottlieb <yossigo@gmail.com>
|
|
Date: Mon, 22 Feb 2021 15:41:32 +0200
|
|
Subject: [PATCH] Fix integer overflow (CVE-2021-21309). (#8522)
|
|
|
|
On 32-bit systems, setting the proto-max-bulk-len config parameter to a high value may result with integer overflow and a subsequent heap overflow when parsing an input bulk (CVE-2021-21309).
|
|
|
|
This fix has two parts:
|
|
|
|
Set a reasonable limit to the config parameter.
|
|
Add additional checks to prevent the problem in other potential but unknown code paths.
|
|
|
|
(cherry picked from commit d32f2e9999ce003bad0bd2c3bca29f64dcce4433)
|
|
---
|
|
src/config.c | 2 +-
|
|
src/sds.c | 3 +++
|
|
src/zmalloc.c | 10 ++++++++++
|
|
3 files changed, 14 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/sds.c b/src/sds.c
|
|
index dc664ca9bc4f..4dbb41d2b703 100644
|
|
--- a/src/sds.c
|
|
+++ b/src/sds.c
|
|
@@ -96,6 +96,7 @@ sds sdsnewlen(const void *init, size_t initlen) {
|
|
int hdrlen = sdsHdrSize(type);
|
|
unsigned char *fp; /* flags pointer. */
|
|
|
|
+ assert(initlen + hdrlen + 1 > initlen); /* Catch size_t overflow */
|
|
sh = s_malloc(hdrlen+initlen+1);
|
|
if (sh == NULL) return NULL;
|
|
if (init==SDS_NOINIT)
|
|
@@ -214,6 +215,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
|
|
len = sdslen(s);
|
|
sh = (char*)s-sdsHdrSize(oldtype);
|
|
newlen = (len+addlen);
|
|
+ assert(newlen > len); /* Catch size_t overflow */
|
|
if (newlen < SDS_MAX_PREALLOC)
|
|
newlen *= 2;
|
|
else
|
|
@@ -227,6 +229,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
|
|
if (type == SDS_TYPE_5) type = SDS_TYPE_8;
|
|
|
|
hdrlen = sdsHdrSize(type);
|
|
+ assert(hdrlen + newlen + 1 > len); /* Catch size_t overflow */
|
|
if (oldtype==type) {
|
|
newsh = s_realloc(sh, hdrlen+newlen+1);
|
|
if (newsh == NULL) return NULL;
|
|
|
|
From c6ad876774f3cc11e32681ea02a2eead00f2c521 Mon Sep 17 00:00:00 2001
|
|
From: YiyuanGUO <yguoaz@gmail.com>
|
|
Date: Wed, 29 Sep 2021 10:20:35 +0300
|
|
Subject: [PATCH] Fix integer overflow in _sdsMakeRoomFor (CVE-2021-41099)
|
|
|
|
---
|
|
src/sds.c | 6 +++---
|
|
1 file changed, 3 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/sds.c b/src/sds.c
|
|
index 4dbb41d2b703..a43a1a5cbeed 100644
|
|
--- a/src/sds.c
|
|
+++ b/src/sds.c
|
|
@@ -205,7 +205,7 @@ void sdsclear(sds s) {
|
|
sds sdsMakeRoomFor(sds s, size_t addlen) {
|
|
void *sh, *newsh;
|
|
size_t avail = sdsavail(s);
|
|
- size_t len, newlen;
|
|
+ size_t len, newlen, reqlen;
|
|
char type, oldtype = s[-1] & SDS_TYPE_MASK;
|
|
int hdrlen;
|
|
|
|
@@ -214,7 +214,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
|
|
|
|
len = sdslen(s);
|
|
sh = (char*)s-sdsHdrSize(oldtype);
|
|
- newlen = (len+addlen);
|
|
+ reqlen = newlen = (len+addlen);
|
|
assert(newlen > len); /* Catch size_t overflow */
|
|
if (newlen < SDS_MAX_PREALLOC)
|
|
newlen *= 2;
|
|
@@ -229,7 +229,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
|
|
if (type == SDS_TYPE_5) type = SDS_TYPE_8;
|
|
|
|
hdrlen = sdsHdrSize(type);
|
|
- assert(hdrlen + newlen + 1 > len); /* Catch size_t overflow */
|
|
+ assert(hdrlen + newlen + 1 > reqlen); /* Catch size_t overflow */
|
|
if (oldtype==type) {
|
|
newsh = s_realloc(sh, hdrlen+newlen+1);
|
|
if (newsh == NULL) return NULL;
|