From cfb449cc8066a0b1f0225b6278241d0d9d20a779 Mon Sep 17 00:00:00 2001 From: Oran Agra Date: Mon, 14 Dec 2020 17:10:31 +0200 Subject: [PATCH] Sanitize dump payload: excessive free on dup zset fields (#8189) --- src/rdb.c | 2 +- tests/integration/corrupt-dump.tcl | 10 ++++++++++ 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/src/rdb.c b/src/rdb.c index 46f78e75a..58e7d2cff 100644 --- a/src/rdb.c +++ b/src/rdb.c @@ -1659,7 +1659,7 @@ robj *rdbLoadObject(int rdbtype, rio *rdb, sds key) { if (dictAdd(zs->dict,sdsele,&znode->score) != DICT_OK) { rdbReportCorruptRDB("Duplicate zset fields detected"); decrRefCount(o); - sdsfree(sdsele); + /* no need to free 'sdsele', will be released by zslFree together with 'o' */ return NULL; } } diff --git a/tests/integration/corrupt-dump.tcl b/tests/integration/corrupt-dump.tcl index 4b09d45b9..cc597bb4d 100644 --- a/tests/integration/corrupt-dump.tcl +++ b/tests/integration/corrupt-dump.tcl @@ -497,5 +497,15 @@ test {corrupt payload: fuzzer findings - valgrind negative malloc} { } } +test {corrupt payload: fuzzer findings - valgrind invalid read} { + start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] { + r config set sanitize-dump-payload yes + r debug set-skip-checksum-validation 1 + catch {r RESTORE _key 0 "\x05\x0A\x02\x5F\x39\x00\x00\x00\x00\x00\x00\x22\x40\xC0\x08\x00\x00\x00\x00\x00\x00\x20\x40\x02\x5F\x37\x00\x00\x00\x00\x00\x00\x1C\x40\xC0\x06\x00\x00\x00\x00\x00\x00\x18\x40\x02\x5F\x33\x00\x00\x00\x00\x00\x00\x14\x40\xC0\x04\x00\x00\x00\x00\x00\x00\x10\x40\x02\x5F\x33\x00\x00\x00\x00\x00\x00\x08\x40\xC0\x02\x00\x00\x00\x00\x00\x00\x00\x40\x02\x5F\x31\x00\x00\x00\x00\x00\x00\xF0\x3F\xC0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x09\x00\x3C\x66\xD7\x14\xA9\xDA\x3C\x69"} err + assert_match "*Bad data format*" $err + r ping + } +} + } ;# tags