File cve-2023-25155.patch of Package redis.28077

Overview Repositories Revisions Requests Users Attributes Meta

File cve-2023-25155.patch of Package redis.28077

From fe4eb9b10f31e132640f88edee08c96715a7cd8b Mon Sep 17 00:00:00 2001
From: Oran Agra <oran@redislabs.com>
Date: Tue, 21 Feb 2023 15:16:13 +0200
Subject: [PATCH] Integer Overflow in RAND commands can lead to assertion
 (CVE-2023-25155)

Issue happens when passing a negative long value that greater than
the max positive value that the long can store.

(cherry picked from commit 41430af6a821c551abb862666ef896f2c196dea6)
(cherry picked from commit f335f9c55e76c76531780c5bbf8805410b7b3ba4)
---
 src/t_set.c             | 4 ++++
 tests/unit/type/set.tcl | 5 +++++
 2 files changed, 9 insertions(+)

diff --git a/src/t_set.c b/src/t_set.c
index 504db1206..c2dbe0a78 100644
--- a/src/t_set.c
+++ b/src/t_set.c
@@ -626,6 +626,10 @@ void srandmemberWithCountCommand(client *c) {
     dict *d;
 
     if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
+    if (l<-LONG_MAX) {
+        addReplyError(c, "value is out of range");
+        return;
+    }
     if (l >= 0) {
         count = (unsigned long) l;
     } else {
diff --git a/tests/unit/type/set.tcl b/tests/unit/type/set.tcl
index 5df1af289..d4ceae011 100644
--- a/tests/unit/type/set.tcl
+++ b/tests/unit/type/set.tcl
@@ -554,6 +554,11 @@ start_server {
         r srandmember nonexisting_key 100
     } {}
 
+    test "SRANDMEMBER count overflow" {
+        r sadd myset a
+        assert_error {*value is out of range*} {r srandmember myset -9223372036854775808}
+    } {}
+
     foreach {type contents} {
         hashtable {
             1 5 10 50 125 50000 33959417 4775547 65434162
-- 
2.35.3

Places

File cve-2023-25155.patch of Package redis.28077

Places