diff options
| author | Oran Agra <oran@redislabs.com> | 2023-02-28 15:15:46 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-28 15:15:46 +0200 |
| commit | b1939b052adc058bd814045a745ec02d3f791d7b (patch) | |
| tree | 62cc6215ed8b78c09b0997838e4260253b433fd6 | |
| parent | dcbfcb916ca1a269b3feef86ee86835294758f84 (diff) | |
| download | redis-b1939b052adc058bd814045a745ec02d3f791d7b.tar.gz | |
Integer Overflow in RAND commands can lead to assertion (CVE-2023-25155) (#11857)
Issue happens when passing a negative long value that greater than
the max positive value that the long can store.
| -rw-r--r-- | src/t_hash.c | 4 | ||||
| -rw-r--r-- | src/t_set.c | 2 | ||||
| -rw-r--r-- | src/t_zset.c | 4 | ||||
| -rw-r--r-- | tests/unit/type/hash.tcl | 2 | ||||
| -rw-r--r-- | tests/unit/type/set.tcl | 5 | ||||
| -rw-r--r-- | tests/unit/type/zset.tcl | 2 |
6 files changed, 14 insertions, 5 deletions
diff --git a/src/t_hash.c b/src/t_hash.c index 757ccd4b3..6005f4442 100644 --- a/src/t_hash.c +++ b/src/t_hash.c @@ -1120,13 +1120,13 @@ void hrandfieldCommand(client *c) { listpackEntry ele; if (c->argc >= 3) { - if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return; + if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return; if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withvalues"))) { addReplyErrorObject(c,shared.syntaxerr); return; } else if (c->argc == 4) { withvalues = 1; - if (l < LONG_MIN/2 || l > LONG_MAX/2) { + if (l < -LONG_MAX/2 || l > LONG_MAX/2) { addReplyError(c,"value is out of range"); return; } diff --git a/src/t_set.c b/src/t_set.c index 7b0dbed5a..ba32ae51c 100644 --- a/src/t_set.c +++ b/src/t_set.c @@ -984,7 +984,7 @@ void srandmemberWithCountCommand(client *c) { dict *d; - if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return; + if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return; if (l >= 0) { count = (unsigned long) l; } else { diff --git a/src/t_zset.c b/src/t_zset.c index a5627f031..c78969caf 100644 --- a/src/t_zset.c +++ b/src/t_zset.c @@ -4317,13 +4317,13 @@ void zrandmemberCommand(client *c) { listpackEntry ele; if (c->argc >= 3) { - if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return; + if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return; if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withscores"))) { addReplyErrorObject(c,shared.syntaxerr); return; } else if (c->argc == 4) { withscores = 1; - if (l < LONG_MIN/2 || l > LONG_MAX/2) { + if (l < -LONG_MAX/2 || l > LONG_MAX/2) { addReplyError(c,"value is out of range"); return; } diff --git a/tests/unit/type/hash.tcl b/tests/unit/type/hash.tcl index 113780ff7..17e3ba40b 100644 --- a/tests/unit/type/hash.tcl +++ b/tests/unit/type/hash.tcl @@ -74,6 +74,8 @@ start_server {tags {"hash"}} { test "HRANDFIELD count overflow" { r hmset myhash a 1 assert_error {*value is out of range*} {r hrandfield myhash -9223372036854770000 withvalues} + assert_error {*value is out of range*} {r hrandfield myhash -9223372036854775808 withvalues} + assert_error {*value is out of range*} {r hrandfield myhash -9223372036854775808} } {} test "HRANDFIELD with <count> against non existing key" { diff --git a/tests/unit/type/set.tcl b/tests/unit/type/set.tcl index 8e02525ae..4885c365e 100644 --- a/tests/unit/type/set.tcl +++ b/tests/unit/type/set.tcl @@ -745,6 +745,11 @@ start_server { r srandmember nonexisting_key 100 } {} + test "SRANDMEMBER count overflow" { + r sadd myset a + assert_error {*value is out of range*} {r srandmember myset -9223372036854775808} + } {} + # Make sure we can distinguish between an empty array and a null response r readraw 1 diff --git a/tests/unit/type/zset.tcl b/tests/unit/type/zset.tcl index eb5cb8432..7a9721905 100644 --- a/tests/unit/type/zset.tcl +++ b/tests/unit/type/zset.tcl @@ -2325,6 +2325,8 @@ start_server {tags {"zset"}} { test "ZRANDMEMBER count overflow" { r zadd myzset 0 a assert_error {*value is out of range*} {r zrandmember myzset -9223372036854770000 withscores} + assert_error {*value is out of range*} {r zrandmember myzset -9223372036854775808 withscores} + assert_error {*value is out of range*} {r zrandmember myzset -9223372036854775808} } {} # Make sure we can distinguish between an empty array and a null response |