File CVE-2023-28425.patch of Package redis7.35902
From 6956d15b776e72f7274b516224e930f2c957bac3 Mon Sep 17 00:00:00 2001
From: Oran Agra <oran@redislabs.com>
Date: Mon, 20 Mar 2023 14:42:07 +0200
Subject: [PATCH] Avoid assertion when MSETNX is used with the same key twice
(CVE-2023-28425)
Using the same key twice in MSETNX command would trigger an assertion.
This reverts #11594 (introduced in Redis 7.0.8)
---
src/t_string.c | 4 +---
tests/unit/type/string.tcl | 9 +++++++++
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/t_string.c b/src/t_string.c
index af58d7d5478c..4659e18610df 100644
--- a/src/t_string.c
+++ b/src/t_string.c
@@ -561,7 +561,6 @@ void mgetCommand(client *c) {
void msetGenericCommand(client *c, int nx) {
int j;
- int setkey_flags = 0;
if ((c->argc % 2) == 0) {
addReplyErrorArity(c);
@@ -577,12 +576,11 @@ void msetGenericCommand(client *c, int nx) {
return;
}
}
- setkey_flags |= SETKEY_DOESNT_EXIST;
}
for (j = 1; j < c->argc; j += 2) {
c->argv[j+1] = tryObjectEncoding(c->argv[j+1]);
- setKey(c, c->db, c->argv[j], c->argv[j + 1], setkey_flags);
+ setKey(c, c->db, c->argv[j], c->argv[j + 1], 0);
notifyKeyspaceEvent(NOTIFY_STRING,"set",c->argv[j],c->db->id);
}
server.dirty += (c->argc-1)/2;
diff --git a/tests/unit/type/string.tcl b/tests/unit/type/string.tcl
index f32f72368a4e..c535da953977 100644
--- a/tests/unit/type/string.tcl
+++ b/tests/unit/type/string.tcl
@@ -234,6 +234,15 @@ start_server {tags {"string"}} {
list [r msetnx x1{t} xxx y2{t} yyy] [r get x1{t}] [r get y2{t}]
} {1 xxx yyy}
+ test {MSETNX with not existing keys - same key twice} {
+ r del x1{t}
+ list [r msetnx x1{t} xxx x1{t} yyy] [r get x1{t}]
+ } {1 yyy}
+
+ test {MSETNX with already existing keys - same key twice} {
+ list [r msetnx x1{t} xxx x1{t} zzz] [r get x1{t}]
+ } {0 yyy}
+
test "STRLEN against non-existing key" {
assert_equal 0 [r strlen notakey]
}
