File CVE-2025-21605.patch of Package redis.38525
From 5e93f9cb9dbc3e7ac9bce36f2838156cbc5c9e62 Mon Sep 17 00:00:00 2001
From: YaacovHazan <yaacov.hazan@redis.com>
Date: Wed, 23 Apr 2025 08:09:40 +0000
Subject: [PATCH] Limiting output buffer for unauthenticated client
(CVE-2025-21605)
For unauthenticated clients the output buffer is limited to prevent
them from abusing it by not reading the replies
---
src/networking.c | 5 +++++
tests/unit/auth.tcl | 18 ++++++++++++++++++
2 files changed, 23 insertions(+)
diff --git a/src/networking.c b/src/networking.c
index 9f654063c69..11891d3e970 100644
--- a/src/networking.c
+++ b/src/networking.c
@@ -3285,6 +3285,11 @@ int checkClientOutputBufferLimits(client *c) {
int soft = 0, hard = 0, class;
unsigned long used_mem = getClientOutputBufferMemoryUsage(c);
+ /* For unauthenticated clients the output buffer is limited to prevent
+ * them from abusing it by not reading the replies */
+ if (used_mem > 1024 && authRequired(c))
+ return 1;
+
class = getClientType(c);
/* For the purpose of output buffer limiting, masters are handled
* like normal clients. */
diff --git a/tests/unit/auth.tcl b/tests/unit/auth.tcl
index 5997707c64f..2a730d766ae 100644
--- a/tests/unit/auth.tcl
+++ b/tests/unit/auth.tcl
@@ -40,6 +40,24 @@ start_server {tags {"auth"} overrides {requirepass foobar}} {
assert_match {*unauthenticated bulk length*} $e
$rr close
}
+
+ test {For unauthenticated clients output buffer is limited} {
+ set rr [redis [srv "host"] [srv "port"] 1 $::tls]
+ $rr SET x 5
+ catch {[$rr read]} e
+ assert_match {*NOAUTH Authentication required*} $e
+
+ # Fill the output buffer in a loop without reading it and make
+ # sure the client disconnected.
+ # Considering the socket eat some of the replies, we are testing
+ # that such client can't consume more than few MB's.
+ catch {
+ for {set j 0} {$j < 1000000} {incr j} {
+ $rr SET x 5
+ }
+ } e
+ assert_match {I/O error reading reply} $e
+ }
}
start_server {tags {"auth_binary_password"}} {
