diff options
author | antirez <antirez@gmail.com> | 2018-06-11 12:08:42 +0200 |
---|---|---|
committer | antirez <antirez@gmail.com> | 2018-06-13 12:40:50 +0200 |
commit | 37578f2ecf32169bc68eead148feca9dab3f7e1b (patch) | |
tree | 288b3beae632cd189ff9ded8d9ebbbb370a7159e | |
parent | 299d5a4b2cb50f1f2d79e2f034b00cd937115db0 (diff) | |
download | redis-37578f2ecf32169bc68eead148feca9dab3f7e1b.tar.gz |
Security: fix redis-cli buffer overflow.
Thanks to Fakhri Zulkifli for reporting it.
The fix switched to dynamic allocation, copying the final prompt in the
static buffer only at the end.
-rw-r--r-- | src/redis-cli.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/src/redis-cli.c b/src/redis-cli.c index 1b6cebd31..127f044b9 100644 --- a/src/redis-cli.c +++ b/src/redis-cli.c @@ -151,20 +151,25 @@ static long long mstime(void) { } static void cliRefreshPrompt(void) { - int len; - if (config.eval_ldb) return; - if (config.hostsocket != NULL) - len = snprintf(config.prompt,sizeof(config.prompt),"redis %s", - config.hostsocket); - else - len = anetFormatAddr(config.prompt, sizeof(config.prompt), - config.hostip, config.hostport); + + sds prompt = sdsempty(); + if (config.hostsocket != NULL) { + prompt = sdscatfmt(prompt,"redis %s",config.hostsocket); + } else { + char addr[256]; + anetFormatAddr(addr, sizeof(addr), config.hostip, config.hostport); + prompt = sdscatlen(prompt,addr,strlen(addr)); + } + /* Add [dbnum] if needed */ if (config.dbnum != 0) - len += snprintf(config.prompt+len,sizeof(config.prompt)-len,"[%d]", - config.dbnum); - snprintf(config.prompt+len,sizeof(config.prompt)-len,"> "); + prompt = sdscatfmt(prompt,"[%i]",config.dbnum); + + /* Copy the prompt in the static buffer. */ + prompt = sdscatlen(prompt,"> ",2); + snprintf(config.prompt,sizeof(config.prompt),"%s",prompt); + sdsfree(prompt); } /* Return the name of the dotfile for the specified 'dotfilename'. |