In the function _sdsMakeRoomFor(sds s, size_t addlen, int greedy), we have the following code that can lead to integer overflow (see my comments for details):
len = sdslen(s); // suppose len = 2
// suppose addlen=0xffffffffffefffef, then newlen = 0xffffffffffeffff1
newlen = (len+addlen);
assert(newlen > len); // check passed
if (greedy == 1) { // suppose greedy = 1
// SDS_MAX_PREALLOC is (1024*1024), taking else branch
if (newlen < SDS_MAX_PREALLOC)
newlen *= 2;
else
newlen += SDS_MAX_PREALLOC; // newlen = 0xfffffffffffffff1
}
...
hdrlen = sdsHdrSize(type); // suppose type is SDS_TYPE_64, hdrlen=17
// hdrlen + newlen + 1 = 3 > len=2, check passed but overflow happens!
assert(hdrlen + newlen + 1 > len);
// use the overflowed small value 3 as the allocation size, dangerous!
newsh = s_realloc_usable(sh, hdrlen+newlen+1, &usable);
Comment From: sundb
Good, Can you make a pr for this?
Comment From: yiyuaner
Good, Can you make a pr for this?
Ok, I have made a pr. Also, do you think this issue needs a security advisory? Can you help to apply for an CVE id? Thanks.
Comment From: oranagra
@yiyuaner thank you for reporting. we're trying to assess if / how this issue impacts Redis and we'll create an advisory if needed. i would like to ask that next time if you find such an issue, please contact us privately, see https://github.com/redis/redis/security/policy