Skip to content

Commit 9fdcc15

Browse files
committed
Security: fix redis-cli buffer overflow.
Thanks to Fakhri Zulkifli for reporting it. The fix switched to dynamic allocation, copying the final prompt in the static buffer only at the end.
1 parent cf76007 commit 9fdcc15

File tree

1 file changed

+16
-11
lines changed

1 file changed

+16
-11
lines changed

Diff for: src/redis-cli.c

+16-11
Original file line numberDiff line numberDiff line change
@@ -152,20 +152,25 @@ static long long mstime(void) {
152152
}
153153

154154
static void cliRefreshPrompt(void) {
155-
int len;
156-
157155
if (config.eval_ldb) return;
158-
if (config.hostsocket != NULL)
159-
len = snprintf(config.prompt,sizeof(config.prompt),"redis %s",
160-
config.hostsocket);
161-
else
162-
len = anetFormatAddr(config.prompt, sizeof(config.prompt),
163-
config.hostip, config.hostport);
156+
157+
sds prompt = sdsempty();
158+
if (config.hostsocket != NULL) {
159+
prompt = sdscatfmt(prompt,"redis %s",config.hostsocket);
160+
} else {
161+
char addr[256];
162+
anetFormatAddr(addr, sizeof(addr), config.hostip, config.hostport);
163+
prompt = sdscatlen(prompt,addr,strlen(addr));
164+
}
165+
164166
/* Add [dbnum] if needed */
165167
if (config.dbnum != 0)
166-
len += snprintf(config.prompt+len,sizeof(config.prompt)-len,"[%d]",
167-
config.dbnum);
168-
snprintf(config.prompt+len,sizeof(config.prompt)-len,"> ");
168+
prompt = sdscatfmt(prompt,"[%i]",config.dbnum);
169+
170+
/* Copy the prompt in the static buffer. */
171+
prompt = sdscatlen(prompt,"> ",2);
172+
snprintf(config.prompt,sizeof(config.prompt),"%s",prompt);
173+
sdsfree(prompt);
169174
}
170175

171176
/* Return the name of the dotfile for the specified 'dotfilename'.

0 commit comments

Comments
 (0)