[Vector sets] More rdb loading fixes (#14032)

Hi all, this PR fixes two things: 1. An assertion, that prevented the RDB loading from recovery if there was a quantization type mismatch (with regression test). 2. Two code paths that just returned NULL without proper cleanup during RDB loading.
2025-05-12 20:57:38 +02:00 · 2025-05-12 20:57:38 +02:00 · 65e164caff
parent e1789e4368
commit 65e164caff
2 changed files with 26 additions and 3 deletions
--- a/modules/vector-sets/vset.c
+++ b/modules/vector-sets/vset.c
@ -1746,6 +1746,12 @@ void *VectorSetRdbLoad(RedisModuleIO *rdb, int encver) {
    uint32_t quant_type = hnsw_config & 0xff;
    uint32_t hnsw_m = (hnsw_config >> 8) & 0xffff;

+    /* Check that the quantization type is correct. Otherwise
+     * return ASAP signaling the error. */
+    if (quant_type != HNSW_QUANT_NONE &&
+        quant_type != HNSW_QUANT_Q8 &&
+        quant_type != HNSW_QUANT_BIN) return NULL;
+
    if (hnsw_m == 0) hnsw_m = 16; // Default, useful for RDB files predating
                                  // this configuration parameter: it was fixed
                                  // to 16.
@ -1768,7 +1774,7 @@ void *VectorSetRdbLoad(RedisModuleIO *rdb, int encver) {

        // Load projection matrix as a binary blob
        char *matrix_blob = RedisModule_LoadStringBuffer(rdb, NULL);
-        if (RedisModule_IsIOError(rdb)) goto ioerr;
+        if (matrix_blob == NULL) goto ioerr;
        memcpy(vset->proj_matrix, matrix_blob, matrix_size);
        RedisModule_Free(matrix_blob);
    }
@ -1802,7 +1808,10 @@ void *VectorSetRdbLoad(RedisModuleIO *rdb, int encver) {
        if (vector_len != vector_bytes) {
            RedisModule_LogIOError(rdb,"warning",
                                       "Mismatching vector dimension");
-            return NULL; // Loading error.
+            RedisModule_FreeString(NULL,ele);
+            if (attrib) RedisModule_FreeString(NULL,attrib);
+            RedisModule_Free(vector);
+            goto ioerr;
        }

        // Load node parameters back.
@ -1834,7 +1843,10 @@ void *VectorSetRdbLoad(RedisModuleIO *rdb, int encver) {
        if (node == NULL) {
            RedisModule_LogIOError(rdb,"warning",
                                       "Vector set node index loading error");
-            return NULL; // Loading error: likely a corruption.
+            vectorSetReleaseNodeValue(nv);
+            RedisModule_Free(vector);
+            RedisModule_Free(params);
+            goto ioerr;
        }
        if (nv->attrib) vset->numattribs++;
        RedisModule_DictSet(vset->dict,ele,node);
--- a/tests/integration/corrupt-dump.tcl
+++ b/tests/integration/corrupt-dump.tcl
@ -931,5 +931,16 @@ test {corrupt payload: hash listpack encoded with invalid length causes hscan to
    }
 }

+test {corrupt payload: fuzzer findings - vector sets with wrong encoding} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        r config set sanitize-dump-payload yes
+        r debug set-skip-checksum-validation 1
+        catch {r restore _key 0 "\x07\x81\xBD\xE7\x2D\xA2\xBB\x1E\xB4\x00\x02\x03\x02\x03\x02\x50\x8F\x02\x00\x05\xC0\x02\x05\x03\x7F\x7F\x7F\x02\x07\x02\x03\x02\x00\x02\x02\x02\x20\x02\x01\x02\x02\x02\x81\x3F\x13\xCD\x3A\x3F\xDD\xB3\xD7\x05\xC0\x01\x05\x03\x7F\x7F\x7F\x02\x0B\x02\x02\x02\x02\x02\x02\x02\x20\x02\x01\x02\x03\x02\x06\x02\x10\x02\x00\x02\x10\x02\x81\x3F\x13\xCD\x3A\x3F\xDD\xB3\xD7\x05\xC0\x00\x05\x03\x7F\x7F\x7F\x02\x07\x02\x01\x02\x00\x02\x02\x02\x20\x02\x02\x02\x03\x02\x81\x3F\x13\xCD\x3A\x3F\xDD\xB3\xD7\x00\x0C\x00\xC6\xA3\x70\x40\x02\x26\xE8\x9B"} err
+        assert_match "*Bad data format*" $err
+        r ping
+    }
+}
+
+
 } ;# tags