File CVE-2025-21605.patch of Package redis7.38527
From 42fb340ce426364d64f5dccc9c2549e58f48ac6f Mon Sep 17 00:00:00 2001
From: YaacovHazan <yaacov.hazan@redis.com>
Date: Wed, 23 Apr 2025 08:09:40 +0000
Subject: [PATCH] Limiting output buffer for unauthenticated client
(CVE-2025-21605)
For unauthenticated clients the output buffer is limited to prevent
them from abusing it by not reading the replies
---
src/networking.c | 5 +++++
tests/unit/auth.tcl | 18 ++++++++++++++++++
2 files changed, 23 insertions(+)
diff --git a/src/networking.c b/src/networking.c
index 7007141a867..bb1a72b9fb4 100644
--- a/src/networking.c
+++ b/src/networking.c
@@ -3858,6 +3858,11 @@ int checkClientOutputBufferLimits(client *c) {
int soft = 0, hard = 0, class;
unsigned long used_mem = getClientOutputBufferMemoryUsage(c);
+ /* For unauthenticated clients the output buffer is limited to prevent
+ * them from abusing it by not reading the replies */
+ if (used_mem > 1024 && authRequired(c))
+ return 1;
+
class = getClientType(c);
/* For the purpose of output buffer limiting, masters are handled
* like normal clients. */
diff --git a/tests/unit/auth.tcl b/tests/unit/auth.tcl
index 9532e0bd2eb..0d25f5dea2d 100644
--- a/tests/unit/auth.tcl
+++ b/tests/unit/auth.tcl
@@ -45,6 +45,24 @@ start_server {tags {"auth external:skip"} overrides {requirepass foobar}} {
assert_match {*unauthenticated bulk length*} $e
$rr close
}
+
+ test {For unauthenticated clients output buffer is limited} {
+ set rr [redis [srv "host"] [srv "port"] 1 $::tls]
+ $rr SET x 5
+ catch {[$rr read]} e
+ assert_match {*NOAUTH Authentication required*} $e
+
+ # Fill the output buffer in a loop without reading it and make
+ # sure the client disconnected.
+ # Considering the socket eat some of the replies, we are testing
+ # that such client can't consume more than few MB's.
+ catch {
+ for {set j 0} {$j < 1000000} {incr j} {
+ $rr SET x 5
+ }
+ } e
+ assert_match {I/O error reading reply} $e
+ }
}
start_server {tags {"auth_binary_password external:skip"}} {
