mirrors
/
redis
mirror of https://mirror.osredm.com/root/redis.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

santize dump payload: fix carsh when zset with NAN score (#10002) 

`zslInsert` with a NAN score will crash the server.
This one found by the `corrupt-dump-fuzzer`.
This commit is contained in:
Binbin 2021-12-26 17:40:11 +08:00 committed by GitHub
parent 365cbf46a7
commit e84ccc3f56
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/rdb.c
View File

@ -1857,6 +1857,13 @@ robj *rdbLoadObject(int rdbtype, rio *rdb, sds key, int dbid, int *error) {
}
}
if (isnan(score)) {
rdbReportCorruptRDB("Zset with NAN score detected");
decrRefCount(o);
sdsfree(sdsele);
return NULL;
}
/* Don't care about integer-encoded strings. */
if (sdslen(sdsele) > maxelelen) maxelelen = sdslen(sdsele);
totelelen += sdslen(sdsele);

12
tests/integration/corrupt-dump.tcl
View File

@ -753,7 +753,7 @@ test {corrupt payload: fuzzer findings - gcc asan reports false leak on assert}
}
}
test {corrupt payload: fuzzer findings - lpFind invalid access } {
test {corrupt payload: fuzzer findings - lpFind invalid access} {
start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
r debug set-skip-checksum-validation 1
r config set sanitize-dump-payload no
@ -773,5 +773,15 @@ test {corrupt payload: fuzzer findings - invalid access in ziplist tail prevlen
}
}
test {corrupt payload: fuzzer findings - zset zslInsert with a NAN score} {
start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
r config set sanitize-dump-payload no
r debug set-skip-checksum-validation 1
catch {r restore _nan_zset 0 "\x05\x0A\x02\x5F\x39\x00\x00\x00\x00\x00\x00\x22\x40\xC0\x08\x00\x00\x00\x00\x00\x00\x20\x40\x02\x5F\x37\x00\x00\x00\x00\x00\x00\x1C\x40\xC0\x06\x00\x00\x00\x00\x00\x00\x18\x40\x02\x5F\x35\x00\x00\x00\x00\x00\x00\x14\x40\xC0\x04\x00\x00\x00\x00\x00\x00\x10\x40\x02\x5F\x33\x00\x00\x00\x00\x00\x00\x08\x40\xC0\x02\x00\x00\x00\x00\x00\x00\x00\x40\x02\x5F\x31\x00\x00\x00\x00\x00\x55\xF0\x7F\xC0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0A\x00\xEC\x94\x86\xD8\xFD\x5C\x5F\xD8"} err
assert_match "*Bad data format*" $err
r ping
}
}
} ;# tags