File redis-CVE-2023-25155.patch of Package redis

Overview Repositories Revisions Requests Users Attributes Meta

File redis-CVE-2023-25155.patch of Package redis

From fe4eb9b10f31e132640f88edee08c96715a7cd8b Mon Sep 17 00:00:00 2001
From: Oran Agra <oran@redislabs.com>
Date: Tue, 21 Feb 2023 15:16:13 +0200
Subject: [PATCH] Integer Overflow in RAND commands can lead to assertion
 (CVE-2023-25155)

Issue happens when passing a negative long value that greater than
the max positive value that the long can store.

(cherry picked from commit 41430af6a821c551abb862666ef896f2c196dea6)
(cherry picked from commit f335f9c55e76c76531780c5bbf8805410b7b3ba4)
---
 src/t_set.c             | 4 ++++
 tests/unit/type/set.tcl | 5 +++++
 2 files changed, 9 insertions(+)

Index: src/t_set.c
===================================================================
--- redis-6.2.6.orig/src/t_set.c
+++ redis-6.2.6/src/t_set.c
@@ -668,6 +668,10 @@ void srandmemberWithCountCommand(client
     dict *d;
 
     if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
+    if (l<-LONG_MAX) {
+        addReplyError(c, "value is out of range");
+        return;
+    }
     if (l >= 0) {
         count = (unsigned long) l;
     } else {
Index: tests/unit/type/set.tcl
===================================================================
--- redis-6.2.6.orig/tests/unit/type/set.tcl
+++ redis-6.2.6/tests/unit/type/set.tcl
@@ -601,6 +601,11 @@ start_server {
 
     r readraw 0
 
+    test "SRANDMEMBER count overflow" {
+        r sadd myset a
+        assert_error {*value is out of range*} {r srandmember myset -9223372036854775808}
+    } {}
+
     foreach {type contents} {
         hashtable {
             1 5 10 50 125 50000 33959417 4775547 65434162

Places

File redis-CVE-2023-25155.patch of Package redis

Places