gvsafronov/futriix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sanity check for the bulk argument in protocol parsing code, fixing issue 146

Browse Source
This commit is contained in:
antirez 2010-08-24 11:45:05 +02:00
parent e193873025
commit a679185aa5
2 changed files with 14 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/redis.c
View File

@ -912,9 +912,14 @@ int processCommand(redisClient *c) {
resetClient(c); resetClient(c);
return 1; return 1;
} else { } else {
int bulklen = atoi(((char*)c->argv[0]->ptr)+1); char *eptr;
long bulklen = strtol(((char*)c->argv[0]->ptr)+1,&eptr,10);
int perr = eptr[0] != '\0';
decrRefCount(c->argv[0]); decrRefCount(c->argv[0]);
if (bulklen < 0 || bulklen > 1024*1024*1024) { if (perr || bulklen == LONG_MIN || bulklen == LONG_MAX ||
bulklen < 0 || bulklen > 1024*1024*1024)
{
c->argc--; c->argc--;
addReplySds(c,sdsnew("-ERR invalid bulk write count\r\n")); addReplySds(c,sdsnew("-ERR invalid bulk write count\r\n"));
resetClient(c); resetClient(c);
@ -984,10 +989,14 @@ int processCommand(redisClient *c) {
return 1; return 1;
} else if (cmd->flags & REDIS_CMD_BULK && c->bulklen == -1) { } else if (cmd->flags & REDIS_CMD_BULK && c->bulklen == -1) {
/* This is a bulk command, we have to read the last argument yet. */ /* This is a bulk command, we have to read the last argument yet. */
int bulklen = atoi(c->argv[c->argc-1]->ptr); char *eptr;
long bulklen = strtol(c->argv[c->argc-1]->ptr,&eptr,10);
int perr = eptr[0] != '\0';
decrRefCount(c->argv[c->argc-1]); decrRefCount(c->argv[c->argc-1]);
if (bulklen < 0 || bulklen > 1024*1024*1024) { if (perr || bulklen == LONG_MAX || bulklen == LONG_MIN ||
bulklen < 0 || bulklen > 1024*1024*1024)
{
c->argc--; c->argc--;
addReplySds(c,sdsnew("-ERR invalid bulk write count\r\n")); addReplySds(c,sdsnew("-ERR invalid bulk write count\r\n"));
resetClient(c); resetClient(c);

2
src/redis.h
View File

@ -283,7 +283,7 @@ typedef struct redisClient {
sds querybuf; sds querybuf;
robj **argv, **mbargv; robj **argv, **mbargv;
int argc, mbargc; int argc, mbargc;
int bulklen; /* bulk read len. -1 if not in bulk read mode */ long bulklen; /* bulk read len. -1 if not in bulk read mode */
int multibulk; /* multi bulk command format active */ int multibulk; /* multi bulk command format active */
list *reply; list *reply;
int sentlen; int sentlen;