Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix integer overflow. #8522

Merged
merged 1 commit into from Feb 22, 2021
Merged

Fix integer overflow. #8522

merged 1 commit into from Feb 22, 2021

Conversation

yossigo
Copy link
Member

@yossigo yossigo commented Feb 22, 2021

On 32-bit systems, setting the proto-max-bulk-len config parameter to a high value may result with integer overflow and a subsequent heap overflow when parsing an input bulk (CVE-2021-21309).

This fix has two parts:

  • Set a reasonable limit to the config parameter.
  • Add additional checks to prevent the problem in other potential but unknown code paths.

@yossigo yossigo merged commit d32f2e9 into redis:unstable Feb 22, 2021
@yossigo yossigo deleted the integer-overflow branch February 22, 2021 13:41
@oranagra oranagra mentioned this pull request Feb 22, 2021
oranagra pushed a commit to oranagra/redis that referenced this pull request Feb 22, 2021
On 32-bit systems, setting the proto-max-bulk-len config parameter to a high value may result with integer overflow and a subsequent heap overflow when parsing an input bulk (CVE-2021-21309).

This fix has two parts:

Set a reasonable limit to the config parameter.
Add additional checks to prevent the problem in other potential but unknown code paths.

(cherry picked from commit d32f2e9)
This was referenced Feb 22, 2021
oranagra pushed a commit to oranagra/redis that referenced this pull request Feb 22, 2021
On 32-bit systems, setting the proto-max-bulk-len config parameter to a high value may result with integer overflow and a subsequent heap overflow when parsing an input bulk (CVE-2021-21309).

This fix has two parts:

Set a reasonable limit to the config parameter.
Add additional checks to prevent the problem in other potential but unknown code paths.

(cherry picked from commit d32f2e9)

Fix MSVR reported issue.
oranagra pushed a commit to oranagra/redis that referenced this pull request Feb 22, 2021
On 32-bit systems, setting the proto-max-bulk-len config parameter to a high value may result with integer overflow and a subsequent heap overflow when parsing an input bulk (CVE-2021-21309).

This fix has two parts:

Set a reasonable limit to the config parameter.
Add additional checks to prevent the problem in other potential but unknown code paths.

(cherry picked from commit d32f2e9)
oranagra pushed a commit that referenced this pull request Feb 22, 2021
On 32-bit systems, setting the proto-max-bulk-len config parameter to a high value may result with integer overflow and a subsequent heap overflow when parsing an input bulk (CVE-2021-21309).

This fix has two parts:

Set a reasonable limit to the config parameter.
Add additional checks to prevent the problem in other potential but unknown code paths.

(cherry picked from commit d32f2e9)

Fix MSVR reported issue.
oranagra pushed a commit that referenced this pull request Feb 22, 2021
On 32-bit systems, setting the proto-max-bulk-len config parameter to a high value may result with integer overflow and a subsequent heap overflow when parsing an input bulk (CVE-2021-21309).

This fix has two parts:

Set a reasonable limit to the config parameter.
Add additional checks to prevent the problem in other potential but unknown code paths.

(cherry picked from commit d32f2e9)
JackieXie168 pushed a commit to JackieXie168/redis that referenced this pull request Mar 2, 2021
On 32-bit systems, setting the proto-max-bulk-len config parameter to a high value may result with integer overflow and a subsequent heap overflow when parsing an input bulk (CVE-2021-21309).

This fix has two parts:

Set a reasonable limit to the config parameter.
Add additional checks to prevent the problem in other potential but unknown code paths.
bjosv added a commit to Nordix/hiredis that referenced this pull request Feb 1, 2022
Equivalent changes introduced to redis sds.c via:
redis/redis#8522
redis/redis#9584
bjosv added a commit to Nordix/hiredis that referenced this pull request Feb 1, 2022
Equivalent changes introduced to redis sds.c via:
redis/redis#8522
redis/redis#9584
@@ -57,6 +57,12 @@ void zlibc_free(void *ptr) {
#endif
#endif

#if PREFIX_SIZE > 0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this even compile if PREFIX_SIZE is defined as (sizeof(size_t)), for example?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ivanstosic-janea it didn't.
Hence #8531

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants