55 lines
2.4 KiB
Diff
55 lines
2.4 KiB
Diff
From e351099e1119fb89496be578f5232c61ce300224 Mon Sep 17 00:00:00 2001
|
|
From: Oran Agra <oran@redislabs.com>
|
|
Date: Sun, 7 Jan 2024 12:32:44 +0200
|
|
Subject: [PATCH] Fix possible corruption in sdsResize (CVE-2023-41056)
|
|
|
|
#11766 introduced a bug in sdsResize where it could forget to update
|
|
the sds type in the sds header and then cause an overflow in sdsalloc.
|
|
it looks like the only implication of that is a possible assertion in HLL,
|
|
but it's hard to rule out possible heap corruption issues with clientsCronResizeQueryBuffer
|
|
---
|
|
src/sds.c | 30 ++++++++++++++++--------------
|
|
1 file changed, 16 insertions(+), 14 deletions(-)
|
|
|
|
diff --git a/src/sds.c b/src/sds.c
|
|
index 8e5863a3ab8e..71490d5b2522 100644
|
|
--- a/src/sds.c
|
|
+++ b/src/sds.c
|
|
@@ -348,20 +348,22 @@ sds sdsResize(sds s, size_t size, int would_regrow) {
|
|
* type. */
|
|
int use_realloc = (oldtype==type || (type < oldtype && type > SDS_TYPE_8));
|
|
size_t newlen = use_realloc ? oldhdrlen+size+1 : hdrlen+size+1;
|
|
- int alloc_already_optimal = 0;
|
|
- #if defined(USE_JEMALLOC)
|
|
- /* je_nallocx returns the expected allocation size for the newlen.
|
|
- * We aim to avoid calling realloc() when using Jemalloc if there is no
|
|
- * change in the allocation size, as it incurs a cost even if the
|
|
- * allocation size stays the same. */
|
|
- alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
|
|
- #endif
|
|
-
|
|
- if (use_realloc && !alloc_already_optimal) {
|
|
- newsh = s_realloc(sh, newlen);
|
|
- if (newsh == NULL) return NULL;
|
|
- s = (char*)newsh+oldhdrlen;
|
|
- } else if (!alloc_already_optimal) {
|
|
+
|
|
+ if (use_realloc) {
|
|
+ int alloc_already_optimal = 0;
|
|
+ #if defined(USE_JEMALLOC)
|
|
+ /* je_nallocx returns the expected allocation size for the newlen.
|
|
+ * We aim to avoid calling realloc() when using Jemalloc if there is no
|
|
+ * change in the allocation size, as it incurs a cost even if the
|
|
+ * allocation size stays the same. */
|
|
+ alloc_already_optimal = (je_nallocx(newlen, 0) == zmalloc_size(sh));
|
|
+ #endif
|
|
+ if (!alloc_already_optimal) {
|
|
+ newsh = s_realloc(sh, newlen);
|
|
+ if (newsh == NULL) return NULL;
|
|
+ s = (char*)newsh+oldhdrlen;
|
|
+ }
|
|
+ } else {
|
|
newsh = s_malloc(newlen);
|
|
if (newsh == NULL) return NULL;
|
|
memcpy((char*)newsh+hdrlen, s, len);
|