diff options
author | antirez <antirez@gmail.com> | 2018-06-11 12:08:42 +0200 |
---|---|---|
committer | antirez <antirez@gmail.com> | 2018-06-13 12:40:33 +0200 |
commit | ce17f76bbd95f68ab6716adcbf12d49e3822b87c (patch) | |
tree | 53a82488551e26df4cdf392b45e9a0975c7bc75f /src/redis-cli.c | |
parent | e89086e09a38cc6713bcd4b9c29abf92cf393936 (diff) | |
download | redis-ce17f76bbd95f68ab6716adcbf12d49e3822b87c.tar.gz |
Security: fix redis-cli buffer overflow.
Thanks to Fakhri Zulkifli for reporting it.
The fix switched to dynamic allocation, copying the final prompt in the
static buffer only at the end.
Diffstat (limited to 'src/redis-cli.c')
-rw-r--r-- | src/redis-cli.c | 27 |
1 files changed, 16 insertions, 11 deletions
diff --git a/src/redis-cli.c b/src/redis-cli.c index af5e6a230..b1ece6250 100644 --- a/src/redis-cli.c +++ b/src/redis-cli.c @@ -258,20 +258,25 @@ static long long mstime(void) { } static void cliRefreshPrompt(void) { - int len; - if (config.eval_ldb) return; - if (config.hostsocket != NULL) - len = snprintf(config.prompt,sizeof(config.prompt),"redis %s", - config.hostsocket); - else - len = anetFormatAddr(config.prompt, sizeof(config.prompt), - config.hostip, config.hostport); + + sds prompt = sdsempty(); + if (config.hostsocket != NULL) { + prompt = sdscatfmt(prompt,"redis %s",config.hostsocket); + } else { + char addr[256]; + anetFormatAddr(addr, sizeof(addr), config.hostip, config.hostport); + prompt = sdscatlen(prompt,addr,strlen(addr)); + } + /* Add [dbnum] if needed */ if (config.dbnum != 0) - len += snprintf(config.prompt+len,sizeof(config.prompt)-len,"[%d]", - config.dbnum); - snprintf(config.prompt+len,sizeof(config.prompt)-len,"> "); + prompt = sdscatfmt(prompt,"[%i]",config.dbnum); + + /* Copy the prompt in the static buffer. */ + prompt = sdscatlen(prompt,"> ",2); + snprintf(config.prompt,sizeof(config.prompt),"%s",prompt); + sdsfree(prompt); } /* Return the name of the dotfile for the specified 'dotfilename'. |