When we review the source file redis-cli.c for checking a NPD bug, we find that this may be an bufferoverflow or a semantic bug instead. Please see the following code snippet.
In Line 2271, I guess the semantic is to check whether the filename ends with '/', if not, you are going to append '/' to the end. However, the operation filename[sdslen(filename)] - 1 seems wrong, because it will overflow filename using filename[sdslen(filename)] and the operation -1 does make no sense.
The correct one should be: if (filename[sdslen(filename) -1 ] != '/')
Please help to check whether our analysis is correct. Thanks.
Comment From: wurongxin1987
Please see if the pull request (https://github.com/antirez/redis/pull/5913) fixes this bug.
Comment From: wurongxin1987
@artix75 Can you help to check this bug and its patch?
Comment From: richardxx
Hopefully anybody can check out this piece of interesting code :>
Comment From: artix75
@wurongxin1987 Yeah, you're right.
It's a typing error, it should be filename[sdslen(filename) - 1]. I'm going to check the pull request. Thank you!
Comment From: wurongxin1987
@wurongxin1987 Yeah, you're right. It's a typing error, it should be
filename[sdslen(filename) - 1]. I'm going to check the pull request. Thank you!
Thanks very much for your feedbacks. It will be very helpful to improve our tool.
Comment From: huangzhw
Fixed