File CVE-2023-25155.patch of Package redis7.36953
From 2a2a582e7cd99ba3b531336b8bd41df2b566e619 Mon Sep 17 00:00:00 2001
From: Oran Agra <oran@redislabs.com>
Date: Tue, 21 Feb 2023 15:16:13 +0200
Subject: [PATCH] Integer Overflow in RAND commands can lead to assertion
(CVE-2023-25155)
Issue happens when passing a negative long value that greater than
the max positive value that the long can store.
---
src/t_hash.c | 4 ++--
src/t_set.c | 2 +-
src/t_zset.c | 4 ++--
tests/unit/type/hash.tcl | 2 ++
tests/unit/type/set.tcl | 5 +++++
tests/unit/type/zset.tcl | 2 ++
6 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/src/t_hash.c b/src/t_hash.c
index 754315080d57..f4ddccc62134 100644
--- a/src/t_hash.c
+++ b/src/t_hash.c
@@ -1120,13 +1120,13 @@ void hrandfieldCommand(client *c) {
listpackEntry ele;
if (c->argc >= 3) {
- if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
+ if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return;
if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withvalues"))) {
addReplyErrorObject(c,shared.syntaxerr);
return;
} else if (c->argc == 4) {
withvalues = 1;
- if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+ if (l < -LONG_MAX/2 || l > LONG_MAX/2) {
addReplyError(c,"value is out of range");
return;
}
diff --git a/src/t_set.c b/src/t_set.c
index b01729f0a6b0..dff66d05273d 100644
--- a/src/t_set.c
+++ b/src/t_set.c
@@ -665,7 +665,7 @@ void srandmemberWithCountCommand(client *c) {
dict *d;
- if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
+ if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return;
if (l >= 0) {
count = (unsigned long) l;
} else {
diff --git a/src/t_zset.c b/src/t_zset.c
index 3cd2d24381cc..a9b5031ea328 100644
--- a/src/t_zset.c
+++ b/src/t_zset.c
@@ -4289,13 +4289,13 @@ void zrandmemberCommand(client *c) {
listpackEntry ele;
if (c->argc >= 3) {
- if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
+ if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return;
if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withscores"))) {
addReplyErrorObject(c,shared.syntaxerr);
return;
} else if (c->argc == 4) {
withscores = 1;
- if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+ if (l < -LONG_MAX/2 || l > LONG_MAX/2) {
addReplyError(c,"value is out of range");
return;
}
diff --git a/tests/unit/type/hash.tcl b/tests/unit/type/hash.tcl
index fcb42e81e4ed..4edb146ed5da 100644
--- a/tests/unit/type/hash.tcl
+++ b/tests/unit/type/hash.tcl
@@ -74,6 +74,8 @@ start_server {tags {"hash"}} {
test "HRANDFIELD count overflow" {
r hmset myhash a 1
assert_error {*value is out of range*} {r hrandfield myhash -9223372036854770000 withvalues}
+ assert_error {*value is out of range*} {r hrandfield myhash -9223372036854775808 withvalues}
+ assert_error {*value is out of range*} {r hrandfield myhash -9223372036854775808}
} {}
test "HRANDFIELD with <count> against non existing key" {
diff --git a/tests/unit/type/set.tcl b/tests/unit/type/set.tcl
index 30b6dc5d74df..5257dccea37b 100644
--- a/tests/unit/type/set.tcl
+++ b/tests/unit/type/set.tcl
@@ -645,6 +645,11 @@ start_server {
r srandmember nonexisting_key 100
} {}
+ test "SRANDMEMBER count overflow" {
+ r sadd myset a
+ assert_error {*value is out of range*} {r srandmember myset -9223372036854775808}
+ } {}
+
# Make sure we can distinguish between an empty array and a null response
r readraw 1
diff --git a/tests/unit/type/zset.tcl b/tests/unit/type/zset.tcl
index a758aee46456..88c0bcb43992 100644
--- a/tests/unit/type/zset.tcl
+++ b/tests/unit/type/zset.tcl
@@ -2303,6 +2303,8 @@ start_server {tags {"zset"}} {
test "ZRANDMEMBER count overflow" {
r zadd myzset 0 a
assert_error {*value is out of range*} {r zrandmember myzset -9223372036854770000 withscores}
+ assert_error {*value is out of range*} {r zrandmember myzset -9223372036854775808 withscores}
+ assert_error {*value is out of range*} {r zrandmember myzset -9223372036854775808}
} {}
# Make sure we can distinguish between an empty array and a null response
