Fix possible memory corruption in FLUSHALL when a client watches more than one key (#11854)

Avoid calling unwatchAllKeys when running touchAllWatchedKeysInDb (which was unnecessary)
This can potentially lead to use-after-free and memory corruption when the next entry
pointer held by the watched keys iterator is freed when unwatching all keys of a specific client.
found with address sanitizer, added a test which will not always fail (depending on the random
dict hashing seed)
problem introduced in #9829 (Reids 7.0)

Co-authored-by: Oran Agra <oran@redislabs.com>

2 files changed, 11 insertions, 3 deletions

diff --git a/src/multi.c b/src/multi.c
index 48b5d15d6..65d502c25 100644
--- a/src/multi.c
+++ b/src/multi.c
@@ -458,9 +458,9 @@ void touchAllWatchedKeysInDb(redisDb *emptied, redisDb *replaced_with) {
                 }
                 client *c = wk->client;
                 c->flags |= CLIENT_DIRTY_CAS;
-                /* As the client is marked as dirty, there is no point in getting here
-                 * again for others keys (or keep the memory overhead till EXEC). */
-                unwatchAllKeys(c);
+                /* Note - we could potentially call unwatchAllKeys for this specific client in order to reduce
+                 * the total number of iterations. BUT this could also free the current next entry pointer
+                 * held by the iterator and can lead to use-after-free. */
             }
         }
     }
diff --git a/tests/unit/multi.tcl b/tests/unit/multi.tcl
index 26ab8e571..bdf398150 100644
--- a/tests/unit/multi.tcl
+++ b/tests/unit/multi.tcl
@@ -894,6 +894,14 @@ start_server {tags {"multi"}} {
         r readraw 1
         set _ $res
     } {*CONFIG SET failed*}
+    
+    test "Flushall while watching several keys by one client" {
+        r flushall
+        r mset a a b b
+        r watch b a
+        r flushall
+        r ping
+     }
 }
 
 start_server {overrides {appendonly {yes} appendfilename {appendonly.aof} appendfsync always} tags {external:skip}} {