diff options
author | Oran Agra <oran@redislabs.com> | 2022-07-18 11:36:19 +0300 |
---|---|---|
committer | Oran Agra <oran@redislabs.com> | 2022-07-18 16:04:07 +0300 |
commit | 15ae4e29e537e7ec37f0df1825d9fb2beea67124 (patch) | |
tree | 84a8c5276181b59c623143bee07724f3be9728b6 | |
parent | 21fd252a627324086a9df60bac2ae91fd12c4c09 (diff) | |
download | redis-15ae4e29e537e7ec37f0df1825d9fb2beea67124.tar.gz |
Fix heap overflow corruption in XAUTOCLAIM (CVE-2022-31144) (#11002)
The temporary array for deleted entries reply of XAUTOCLAIM was
insufficient, but also in fact the COUNT argument should be used to
control the size of the reply, so instead of terminating the loop by
only counting the claimed entries, we'll count deleted entries as well.
Fix #10968
Addresses CVE-2022-31144
(cherry picked from commit 2825b6057bee911e69b6fd30eb338d02e9d7ff90)
-rw-r--r-- | src/t_stream.c | 1 | ||||
-rw-r--r-- | tests/unit/type/stream-cgroups.tcl | 21 |
2 files changed, 20 insertions, 2 deletions
diff --git a/src/t_stream.c b/src/t_stream.c index 617976c9c..2bcae25b4 100644 --- a/src/t_stream.c +++ b/src/t_stream.c @@ -3421,6 +3421,7 @@ void xautoclaimCommand(client *c) { /* Remember the ID for later */ deleted_ids[deleted_id_num++] = id; raxSeek(&ri,">=",ri.key,ri.key_len); + count--; /* Count is a limit of the command response size. */ continue; } diff --git a/tests/unit/type/stream-cgroups.tcl b/tests/unit/type/stream-cgroups.tcl index d9bb4e760..a6ed716fb 100644 --- a/tests/unit/type/stream-cgroups.tcl +++ b/tests/unit/type/stream-cgroups.tcl @@ -584,9 +584,9 @@ start_server { # from the PEL of consumer 1, this should return nil r XDEL mystream $id2 - # id1 and id3 are self-claimed here but not id2 ('count' was set to 2) + # id1 and id3 are self-claimed here but not id2 ('count' was set to 3) # we make sure id2 is indeed skipped (the cursor points to id4) - set reply [r XAUTOCLAIM mystream mygroup consumer2 10 - COUNT 2] + set reply [r XAUTOCLAIM mystream mygroup consumer2 10 - COUNT 3] assert_equal [llength $reply] 3 assert_equal [lindex $reply 0] $id4 @@ -595,6 +595,8 @@ start_server { assert_equal [llength [lindex $reply 1 0 1]] 2 assert_equal [lindex $reply 1 0 1] {a 1} assert_equal [lindex $reply 1 1 1] {c 3} + assert_equal [llength [lindex $reply 2]] 1 + assert_equal [llength [lindex $reply 2 0]] 1 # Delete item 3 from the stream. Now consumer 1 has PEL that is empty. # Try to use consumer 2 to claim the deleted item 3 from the PEL @@ -701,6 +703,21 @@ start_server { assert_equal [r XPENDING x grp - + 10 Alice] {} } + test {XAUTOCLAIM with XDEL and count} { + r DEL x + r XADD x 1-0 f v + r XADD x 2-0 f v + r XADD x 3-0 f v + r XGROUP CREATE x grp 0 + assert_equal [r XREADGROUP GROUP grp Alice STREAMS x >] {{x {{1-0 {f v}} {2-0 {f v}} {3-0 {f v}}}}} + r XDEL x 1-0 + r XDEL x 2-0 + assert_equal [r XAUTOCLAIM x grp Bob 0 0-0 COUNT 1] {2-0 {} 1-0} + assert_equal [r XAUTOCLAIM x grp Bob 0 2-0 COUNT 1] {3-0 {} 2-0} + assert_equal [r XAUTOCLAIM x grp Bob 0 3-0 COUNT 1] {0-0 {{3-0 {f v}}} {}} + assert_equal [r XPENDING x grp - + 10 Alice] {} + } + test {XCLAIM with trimming} { r DEL x r config set stream-node-max-entries 2 |