File CVE-2025-48367.patch of Package redis.39435
From 0fe67435935cc5724ff6eb9c4ca4120c58a15765 Mon Sep 17 00:00:00 2001
From: Ozan Tezcan <ozantezcan@gmail.com>
Date: Wed, 14 May 2025 11:02:30 +0300
Subject: [PATCH] Retry accept() even if accepted connection reports an error
(CVE-2025-48367)
In case of accept4() returns an error, we should check errno value and
decide if we should retry accept4() without waiting next event loop iteration.
---
src/anet.c | 24 ++++++++++++++++++++++++
src/anet.h | 2 +-
src/cluster.c | 2 ++
src/networking.c | 6 ++++++
4 files changed, 33 insertions(+), 1 deletion(-)
Index: b/src/anet.c
===================================================================
--- a/src/anet.c
+++ b/src/anet.c
@@ -671,3 +671,27 @@ int anetFormatSock(int fd, char *fmt, si
anetSockName(fd,ip,sizeof(ip),&port);
return anetFormatAddr(fmt, fmt_len, ip, port);
}
+
+/* This function must be called after accept4() fails. It returns 1 if 'err'
+ * indicates accepted connection faced an error, and it's okay to continue
+ * accepting next connection by calling accept4() again. Other errors either
+ * indicate programming errors, e.g. calling accept() on a closed fd or indicate
+ * a resource limit has been reached, e.g. -EMFILE, open fd limit has been
+ * reached. In the latter case, caller might wait until resources are available.
+ * See accept4() documentation for details. */
+int anetAcceptFailureNeedsRetry(int err) {
+ if (err == ECONNABORTED)
+ return 1;
+
+#if defined(__linux__)
+ /* For details, see 'Error Handling' section on
+ * https://man7.org/linux/man-pages/man2/accept.2.html */
+ if (err == ENETDOWN || err == EPROTO || err == ENOPROTOOPT ||
+ err == EHOSTDOWN || err == ENONET || err == EHOSTUNREACH ||
+ err == EOPNOTSUPP || err == ENETUNREACH)
+ {
+ return 1;
+ }
+#endif
+ return 0;
+}
Index: b/src/anet.h
===================================================================
--- a/src/anet.h
+++ b/src/anet.h
@@ -77,5 +77,6 @@ int anetSockName(int fd, char *ip, size_
int anetFormatAddr(char *fmt, size_t fmt_len, char *ip, int port);
int anetFormatPeer(int fd, char *fmt, size_t fmt_len);
int anetFormatSock(int fd, char *fmt, size_t fmt_len);
+int anetAcceptFailureNeedsRetry(int err);
#endif
Index: b/src/cluster.c
===================================================================
--- a/src/cluster.c
+++ b/src/cluster.c
@@ -677,6 +677,8 @@ void clusterAcceptHandler(aeEventLoop *e
while(max--) {
cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
if (cfd == ANET_ERR) {
+ if (anetAcceptFailureNeedsRetry(errno))
+ continue;
if (errno != EWOULDBLOCK)
serverLog(LL_VERBOSE,
"Error accepting cluster node: %s", server.neterr);
Index: b/src/networking.c
===================================================================
--- a/src/networking.c
+++ b/src/networking.c
@@ -1054,6 +1054,8 @@ void acceptTcpHandler(aeEventLoop *el, i
while(max--) {
cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
if (cfd == ANET_ERR) {
+ if (anetAcceptFailureNeedsRetry(errno))
+ continue;
if (errno != EWOULDBLOCK)
serverLog(LL_WARNING,
"Accepting client connection: %s", server.neterr);
@@ -1074,6 +1076,8 @@ void acceptTLSHandler(aeEventLoop *el, i
while(max--) {
cfd = anetTcpAccept(server.neterr, fd, cip, sizeof(cip), &cport);
if (cfd == ANET_ERR) {
+ if (anetAcceptFailureNeedsRetry(errno))
+ continue;
if (errno != EWOULDBLOCK)
serverLog(LL_WARNING,
"Accepting client connection: %s", server.neterr);
@@ -1093,6 +1097,8 @@ void acceptUnixHandler(aeEventLoop *el,
while(max--) {
cfd = anetUnixAccept(server.neterr, fd);
if (cfd == ANET_ERR) {
+ if (anetAcceptFailureNeedsRetry(errno))
+ continue;
if (errno != EWOULDBLOCK)
serverLog(LL_WARNING,
"Accepting client connection: %s", server.neterr);
