diff options
author | ranshid <88133677+ranshid@users.noreply.github.com> | 2023-02-28 12:02:55 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-02-28 12:02:55 +0200 |
commit | 18017df7c1407bc025741c64a90f20f4a8098bd2 (patch) | |
tree | 60242667f7c8e78a467e820b636d61991784f3fd /src/multi.c | |
parent | 4972760b67e793413ff885d1e05c01627497d360 (diff) | |
download | redis-18017df7c1407bc025741c64a90f20f4a8098bd2.tar.gz |
Fix possible memory corruption in FLUSHALL when a client watches more than one key (#11854)
Avoid calling unwatchAllKeys when running touchAllWatchedKeysInDb (which was unnecessary)
This can potentially lead to use-after-free and memory corruption when the next entry
pointer held by the watched keys iterator is freed when unwatching all keys of a specific client.
found with address sanitizer, added a test which will not always fail (depending on the random
dict hashing seed)
problem introduced in #9829 (Reids 7.0)
Co-authored-by: Oran Agra <oran@redislabs.com>
Diffstat (limited to 'src/multi.c')
-rw-r--r-- | src/multi.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/multi.c b/src/multi.c index 48b5d15d6..65d502c25 100644 --- a/src/multi.c +++ b/src/multi.c @@ -458,9 +458,9 @@ void touchAllWatchedKeysInDb(redisDb *emptied, redisDb *replaced_with) { } client *c = wk->client; c->flags |= CLIENT_DIRTY_CAS; - /* As the client is marked as dirty, there is no point in getting here - * again for others keys (or keep the memory overhead till EXEC). */ - unwatchAllKeys(c); + /* Note - we could potentially call unwatchAllKeys for this specific client in order to reduce + * the total number of iterations. BUT this could also free the current next entry pointer + * held by the iterator and can lead to use-after-free. */ } } } |