diff options
| author | Oran Agra <oran@redislabs.com> | 2023-01-01 19:44:12 +0200 |
|---|---|---|
| committer | Oran Agra <oran@redislabs.com> | 2023-01-16 18:40:35 +0200 |
| commit | 3f1f02034ce674cad8268f958cf8c39944b240c6 (patch) | |
| tree | 301d708155196fc87f55c19d47681a9b657bbe0a | |
| parent | 6c25c6b7da116e110e89a5db45eeae743879e7ea (diff) | |
| download | redis-3f1f02034ce674cad8268f958cf8c39944b240c6.tar.gz | |
Fix range issues in ZRANDMEMBER and HRANDFIELD (CVE-2023-22458)
missing range check in ZRANDMEMBER and HRANDIFLD leading to panic due
to protocol limitations
| -rw-r--r-- | src/t_hash.c | 7 | ||||
| -rw-r--r-- | src/t_zset.c | 7 | ||||
| -rw-r--r-- | tests/unit/type/hash.tcl | 5 | ||||
| -rw-r--r-- | tests/unit/type/zset.tcl | 5 |
4 files changed, 22 insertions, 2 deletions
diff --git a/src/t_hash.c b/src/t_hash.c index 405a55695..754315080 100644 --- a/src/t_hash.c +++ b/src/t_hash.c @@ -1124,8 +1124,13 @@ void hrandfieldCommand(client *c) { if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withvalues"))) { addReplyErrorObject(c,shared.syntaxerr); return; - } else if (c->argc == 4) + } else if (c->argc == 4) { withvalues = 1; + if (l < LONG_MIN/2 || l > LONG_MAX/2) { + addReplyError(c,"value is out of range"); + return; + } + } hrandfieldWithCountCommand(c, l, withvalues); return; } diff --git a/src/t_zset.c b/src/t_zset.c index dc97c7075..3cd2d2438 100644 --- a/src/t_zset.c +++ b/src/t_zset.c @@ -4293,8 +4293,13 @@ void zrandmemberCommand(client *c) { if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withscores"))) { addReplyErrorObject(c,shared.syntaxerr); return; - } else if (c->argc == 4) + } else if (c->argc == 4) { withscores = 1; + if (l < LONG_MIN/2 || l > LONG_MAX/2) { + addReplyError(c,"value is out of range"); + return; + } + } zrandmemberWithCountCommand(c, l, withscores); return; } diff --git a/tests/unit/type/hash.tcl b/tests/unit/type/hash.tcl index ae5677383..fcb42e81e 100644 --- a/tests/unit/type/hash.tcl +++ b/tests/unit/type/hash.tcl @@ -71,6 +71,11 @@ start_server {tags {"hash"}} { r hrandfield myhash 0 } {} + test "HRANDFIELD count overflow" { + r hmset myhash a 1 + assert_error {*value is out of range*} {r hrandfield myhash -9223372036854770000 withvalues} + } {} + test "HRANDFIELD with <count> against non existing key" { r hrandfield nonexisting_key 100 } {} diff --git a/tests/unit/type/zset.tcl b/tests/unit/type/zset.tcl index 0e2457516..a758aee46 100644 --- a/tests/unit/type/zset.tcl +++ b/tests/unit/type/zset.tcl @@ -2300,6 +2300,11 @@ start_server {tags {"zset"}} { r zrandmember nonexisting_key 100 } {} + test "ZRANDMEMBER count overflow" { + r zadd myzset 0 a + assert_error {*value is out of range*} {r zrandmember myzset -9223372036854770000 withscores} + } {} + # Make sure we can distinguish between an empty array and a null response r readraw 1 |