diff options
author | antirez <antirez@gmail.com> | 2018-06-11 12:08:42 +0200 |
---|---|---|
committer | antirez <antirez@gmail.com> | 2018-06-13 12:40:33 +0200 |
commit | ce17f76bbd95f68ab6716adcbf12d49e3822b87c (patch) | |
tree | 53a82488551e26df4cdf392b45e9a0975c7bc75f | |
parent | e89086e09a38cc6713bcd4b9c29abf92cf393936 (diff) | |
download | redis-ce17f76bbd95f68ab6716adcbf12d49e3822b87c.tar.gz |
Security: fix redis-cli buffer overflow.
Thanks to Fakhri Zulkifli for reporting it.
The fix switched to dynamic allocation, copying the final prompt in the
static buffer only at the end.
-rw-r--r-- | src/redis-cli.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/src/redis-cli.c b/src/redis-cli.c index af5e6a230..b1ece6250 100644 --- a/src/redis-cli.c +++ b/src/redis-cli.c @@ -258,20 +258,25 @@ static long long mstime(void) { } static void cliRefreshPrompt(void) { - int len; - if (config.eval_ldb) return; - if (config.hostsocket != NULL) - len = snprintf(config.prompt,sizeof(config.prompt),"redis %s", - config.hostsocket); - else - len = anetFormatAddr(config.prompt, sizeof(config.prompt), - config.hostip, config.hostport); + + sds prompt = sdsempty(); + if (config.hostsocket != NULL) { + prompt = sdscatfmt(prompt,"redis %s",config.hostsocket); + } else { + char addr[256]; + anetFormatAddr(addr, sizeof(addr), config.hostip, config.hostport); + prompt = sdscatlen(prompt,addr,strlen(addr)); + } + /* Add [dbnum] if needed */ if (config.dbnum != 0) - len += snprintf(config.prompt+len,sizeof(config.prompt)-len,"[%d]", - config.dbnum); - snprintf(config.prompt+len,sizeof(config.prompt)-len,"> "); + prompt = sdscatfmt(prompt,"[%i]",config.dbnum); + + /* Copy the prompt in the static buffer. */ + prompt = sdscatlen(prompt,"> ",2); + snprintf(config.prompt,sizeof(config.prompt),"%s",prompt); + sdsfree(prompt); } /* Return the name of the dotfile for the specified 'dotfilename'. |