From c5e6a6204c4cf57f85e7c83a9b4e99f1a7204fd2 Mon Sep 17 00:00:00 2001 From: Oran Agra Date: Mon, 4 Oct 2021 12:11:02 +0300 Subject: Fix ziplist and listpack overflows and truncations (CVE-2021-32627, CVE-2021-32628) (#9589) - fix possible heap corruption in ziplist and listpack resulting by trying to allocate more than the maximum size of 4GB. - prevent ziplist (hash and zset) from reaching size of above 1GB, will be converted to HT encoding, that's not a useful size. - prevent listpack (stream) from reaching size of above 1GB. - XADD will start a new listpack if the new record may cause the previous listpack to grow over 1GB. - XADD will respond with an error if a single stream record is over 1GB - List type (ziplist in quicklist) was truncating strings that were over 4GB, now it'll respond with an error. Co-authored-by: sundb --- src/listpack.h | 1 + 1 file changed, 1 insertion(+) (limited to 'src/listpack.h') diff --git a/src/listpack.h b/src/listpack.h index 535513ac2..2ac7ac16b 100644 --- a/src/listpack.h +++ b/src/listpack.h @@ -87,6 +87,7 @@ unsigned int lpCompare(unsigned char *p, unsigned char *s, uint32_t slen); void lpRandomPair(unsigned char *lp, unsigned long total_count, listpackEntry *key, listpackEntry *val); void lpRandomPairs(unsigned char *lp, unsigned int count, listpackEntry *keys, listpackEntry *vals); unsigned int lpRandomPairsUnique(unsigned char *lp, unsigned int count, listpackEntry *keys, listpackEntry *vals); +int lpSafeToAdd(unsigned char* lp, size_t add); #ifdef REDIS_TEST int listpackTest(int argc, char *argv[], int accurate); -- cgit v1.2.1