Crash report
13664:C 07 Jan 2022 21:21:36.403 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
13664:C 07 Jan 2022 21:21:36.404 # Redis version=255.255.255, bits=64, commit=00000000, modified=0, pid=13664, just started
13664:C 07 Jan 2022 21:21:36.404 # Warning: no config file specified, using the default config. In order to specify a config file use ./redis-server /path/to/redis.conf
13664:M 07 Jan 2022 21:21:36.405 * Increased maximum number of open files to 10032 (it was originally set to 1024).
13664:M 07 Jan 2022 21:21:36.406 * monotonic clock: POSIX clock_gettime
_._
_.-``__ ''-._
_.-`` `. `_. ''-._ Redis 255.255.255 (00000000/0) 64 bit
.-`` .-```. ```\/ _.,_ ''-._
( ' , .-` | `, ) Running in standalone mode
|`-._`-...-` __...-.``-._|'` _.-'| Port: 6379
| `-._ `._ / _.-' | PID: 13664
`-._ `-._ `-./ _.-' _.-'
|`-._`-._ `-.__.-' _.-'_.-'|
| `-._`-._ _.-'_.-' | https://redis.io
`-._ `-._`-.__.-'_.-' _.-'
|`-._`-._ `-.__.-' _.-'_.-'|
| `-._`-._ _.-'_.-' |
`-._ `-._`-.__.-'_.-' _.-'
`-._ `-.__.-' _.-'
`-._ _.-'
`-.__.-'
13664:M 07 Jan 2022 21:21:36.409 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
13664:M 07 Jan 2022 21:21:36.409 # Server initialized
13664:M 07 Jan 2022 21:21:36.409 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
13664:M 07 Jan 2022 21:21:36.410 * Loading RDB produced by version 255.255.255
13664:M 07 Jan 2022 21:21:36.410 * RDB age 187818 seconds
13664:M 07 Jan 2022 21:21:36.410 * RDB memory usage when created 0.82 Mb
13664:M 07 Jan 2022 21:21:36.410 * Done loading RDB, keys loaded: 60, keys expired: 0.
13664:M 07 Jan 2022 21:21:36.410 * DB loaded from disk: 0.001 seconds
13664:M 07 Jan 2022 21:21:36.411 * Ready to accept connections
=== REDIS BUG REPORT START: Cut & paste starting from here ===
13664:M 07 Jan 2022 21:21:46.226 # Redis 255.255.255 crashed by signal: 11, si_code: 1
13664:M 07 Jan 2022 21:21:46.226 # Accessing address: 0x10408
13664:M 07 Jan 2022 21:21:46.226 # Crashed running the instruction at: 0x48665e
------ STACK TRACE ------
EIP:
./redis-server *:6379(addReplySubcommandSyntaxError+0x4e)[0x48665e]
Backtrace:
/lib/x86_64-linux-gnu/libpthread.so.0(+0x12890)[0x7ff92c032890]
./redis-server *:6379(addReplySubcommandSyntaxError+0x4e)[0x48665e]
./redis-server *:6379(processCommand+0x257)[0x45a527]
./redis-server *:6379(processCommandAndResetClient+0x3f)[0x49103f]
./redis-server *:6379(processInputBuffer+0x3d3)[0x491573]
./redis-server *:6379(readQueryFromClient+0xcd3)[0x4817c3]
./redis-server *:6379[0x60e8e6]
./redis-server *:6379[0x60d4bb]
./redis-server *:6379(aeProcessEvents+0x903)[0x441eb3]
./redis-server *:6379(aeMain+0x7c)[0x44281c]
./redis-server *:6379(main+0x1088)[0x4684e8]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x7ff92bc41b97]
./redis-server *:6379(_start+0x2a)[0x437eda]
------ REGISTERS ------
13664:M 07 Jan 2022 21:21:46.253 #
RAX:0000000000010400 RBX:00007ff92b858bb1
RCX:0000000000000177 RDX:0000000000c867f0
RDI:00007ff92b858bb1 RSI:65737c6472616373
RBP:00007ff92b858ba3 RSP:00007fffe4cbfbe0
R8 :0000000000000050 R9 :ffffffffffffe760
R10:0000000000000007 R11:00007ff92bc508b0
R12:0000000000005a01 R13:00007ff92b92a7c0
R14:00007ff92b92a7c0 R15:fffffffffffffff8
RIP:000000000048665e EFL:0000000000010206
CSGSFS:00000053002b0033
13664:M 07 Jan 2022 21:21:46.253 # (00007fffe4cbfbef) -> 000000000049103f
13664:M 07 Jan 2022 21:21:46.253 # (00007fffe4cbfbee) -> 00000000000094a6
13664:M 07 Jan 2022 21:21:46.254 # (00007fffe4cbfbed) -> 0000000000000000
13664:M 07 Jan 2022 21:21:46.254 # (00007fffe4cbfbec) -> fffffffffffffff8
13664:M 07 Jan 2022 21:21:46.254 # (00007fffe4cbfbeb) -> 00007ff92b92a7c0
13664:M 07 Jan 2022 21:21:46.254 # (00007fffe4cbfbea) -> 0000000000005a01
13664:M 07 Jan 2022 21:21:46.254 # (00007fffe4cbfbe9) -> 00007ff92b92a7c0
13664:M 07 Jan 2022 21:21:46.254 # (00007fffe4cbfbe8) -> 0000000000c867f0
13664:M 07 Jan 2022 21:21:46.254 # (00007fffe4cbfbe7) -> 0000000000471f4e
13664:M 07 Jan 2022 21:21:46.254 # (00007fffe4cbfbe6) -> 00007ff92b809b30
13664:M 07 Jan 2022 21:21:46.254 # (00007fffe4cbfbe5) -> fffffffffffffff8
13664:M 07 Jan 2022 21:21:46.254 # (00007fffe4cbfbe4) -> 000000000000000c
13664:M 07 Jan 2022 21:21:46.254 # (00007fffe4cbfbe3) -> 000000000045a527
13664:M 07 Jan 2022 21:21:46.254 # (00007fffe4cbfbe2) -> 00007ff92b92a7c0
13664:M 07 Jan 2022 21:21:46.254 # (00007fffe4cbfbe1) -> 00007ff92b809f50
13664:M 07 Jan 2022 21:21:46.254 # (00007fffe4cbfbe0) -> 00000000000012d1
------ INFO OUTPUT ------
# Server
redis_version:255.255.255
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:a8ed957d8274f8d6
redis_mode:standalone
os:Linux 4.4.0-19041-Microsoft x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:c11-builtin
gcc_version:4.2.1
process_id:13664
process_supervised:no
run_id:6803ab612ddfe2be52ddafaa234906178a47065a
tcp_port:6379
server_time_usec:1641561706223451
uptime_in_seconds:10
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:14171754
executable:/mnt/d/zyp/fuzzer/memdbFuzz/visualstudio/afl-vs-raw/afl-vs-raw/bin/x64/Debug/./redis-server
config_file:
io_threads_active:0
# Clients
connected_clients:1
cluster_connections:0
maxclients:10000
client_recent_max_input_buffer:0
client_recent_max_output_buffer:0
blocked_clients:0
tracking_clients:0
clients_in_timeout_table:0
# Memory
used_memory:923216
used_memory_human:901.58K
used_memory_rss:4714496
used_memory_rss_human:4.50M
used_memory_peak:923216
used_memory_peak_human:901.58K
used_memory_peak_perc:102.43%
used_memory_overhead:912524
used_memory_startup:847944
used_memory_dataset:10692
used_memory_dataset_perc:14.20%
allocator_allocated:1013296
allocator_active:1212416
allocator_resident:4624384
total_system_memory:8359202816
total_system_memory_human:7.79G
used_memory_lua:37888
used_memory_vm_eval:37888
used_memory_lua_human:37.00K
used_memory_scripts_eval:0
number_of_cached_scripts:0
number_of_functions:0
used_memory_vm_functions:35840
used_memory_vm_total:73728
used_memory_vm_total_human:72.00K
used_memory_functions:168
used_memory_scripts:168
used_memory_scripts_human:168B
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.20
allocator_frag_bytes:199120
allocator_rss_ratio:3.81
allocator_rss_bytes:3411968
rss_overhead_ratio:1.02
rss_overhead_bytes:90112
mem_fragmentation_ratio:5.49
mem_fragmentation_bytes:3855112
mem_not_counted_for_evict:0
mem_replication_backlog:20508
mem_total_replication_buffers:20504
mem_clients_slaves:0
mem_clients_normal:40960
mem_cluster_links:0
mem_aof_buffer:0
mem_allocator:jemalloc-5.2.1
active_defrag_running:0
lazyfree_pending_objects:0
lazyfreed_objects:0
# Persistence
loading:0
async_loading:0
current_cow_peak:0
current_cow_size:0
current_cow_size_age:0
current_fork_perc:0.00
current_save_keys_processed:0
current_save_keys_total:0
rdb_changes_since_last_save:1
rdb_bgsave_in_progress:0
rdb_last_save_time:1641561696
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:0
rdb_last_load_keys_expired:0
rdb_last_load_keys_loaded:60
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0
module_fork_in_progress:0
module_fork_last_cow_size:0
# Stats
total_connections_received:1
total_commands_processed:1
instantaneous_ops_per_sec:0
total_net_input_bytes:41
total_net_output_bytes:0
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
expire_cycle_cpu_milliseconds:0
evicted_keys:0
evicted_clients:0
total_eviction_exceeded_time:0
current_eviction_exceeded_time:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:0
total_forks:0
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0
total_active_defrag_time:0
current_active_defrag_time:0
tracking_total_keys:0
tracking_total_items:0
tracking_total_prefixes:0
unexpected_error_replies:0
total_error_replies:0
dump_payload_sanitizations:0
total_reads_processed:1
total_writes_processed:0
io_threaded_reads_processed:0
io_threaded_writes_processed:0
# Replication
role:master
connected_slaves:0
master_failover_state:no-failover
master_replid:d5fbb09c7d108d570ea2ec65c7ff21c74b32cbb5
master_replid2:304487fdad84b21fb9cded15b081113116e71d4a
master_repl_offset:87
second_repl_offset:29
repl_backlog_active:1
repl_backlog_size:1048576
repl_backlog_first_byte_offset:29
repl_backlog_histlen:59
# CPU
used_cpu_sys:0.015625
used_cpu_user:0.000000
used_cpu_sys_children:0.000000
used_cpu_user_children:0.000000
used_cpu_sys_main_thread:0.015625
used_cpu_user_main_thread:0.000000
# Modules
# Commandstats
cmdstat_sadd:calls=1,usec=13,usec_per_call=13.00,rejected_calls=0,failed_calls=0
# Errorstats
# Cluster
cluster_enabled:0
# Keyspace
db0:keys=60,expires=0,avg_ttl=0
------ CLIENT LIST OUTPUT ------
id=4 addr=127.0.0.1:7484 laddr=127.0.0.1:6379 fd=8 name= age=0 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=41 qbuf-free=20433 argv-mem=10 multi-mem=0 obl=4 oll=0 omem=0 tot-mem=40978 events=r cmd=NULL user=default redir=-1 resp=2
------ CURRENT CLIENT INFO ------
id=4 addr=127.0.0.1:7484 laddr=127.0.0.1:6379 fd=8 name= age=0 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=41 qbuf-free=20433 argv-mem=10 multi-mem=0 obl=4 oll=0 omem=0 tot-mem=40978 events=r cmd=NULL user=default redir=-1 resp=2
argv[0]: 'scard|set1'
------ MODULES INFO OUTPUT ------
------ CONFIG DEBUG OUTPUT ------
io-threads-do-reads no
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
lazyfree-lazy-user-del no
lazyfree-lazy-user-flush no
repl-diskless-sync no
replica-read-only yes
activedefrag no
repl-diskless-load disabled
sanitize-dump-payload no
io-threads 1
list-compress-depth 0
proto-max-bulk-len 512mb
client-query-buffer-limit 1gb
------ FAST MEMORY TEST ------
13664:M 07 Jan 2022 21:21:46.286 # Bio thread for job type #0 terminated
13664:M 07 Jan 2022 21:21:46.286 # Bio thread for job type #1 terminated
13664:M 07 Jan 2022 21:21:46.286 # Bio thread for job type #2 terminated
*** Preparing to test memory region a10000 (290816 bytes)
*** Preparing to test memory region a57000 (2359296 bytes)
*** Preparing to test memory region 20d7000 (135168 bytes)
*** Preparing to test memory region 7ff929247000 (4096 bytes)
*** Preparing to test memory region 7ff929251000 (8388608 bytes)
*** Preparing to test memory region 7ff929a61000 (8388608 bytes)
*** Preparing to test memory region 7ff92a271000 (8388608 bytes)
*** Preparing to test memory region 7ff92aa81000 (8388608 bytes)
*** Preparing to test memory region 7ff92b400000 (8388608 bytes)
*** Preparing to test memory region 7ff92c00b000 (8192 bytes)
*** Preparing to test memory region 7ff92c00d000 (16384 bytes)
*** Preparing to test memory region 7ff92c23a000 (4096 bytes)
*** Preparing to test memory region 7ff92c23b000 (16384 bytes)
*** Preparing to test memory region 7ff92c447000 (4096 bytes)
*** Preparing to test memory region 7ff92c653000 (4096 bytes)
*** Preparing to test memory region 7ff92c9fd000 (4096 bytes)
*** Preparing to test memory region 7ff92cc28000 (4096 bytes)
*** Preparing to test memory region 7ff92cc29000 (4096 bytes)
*** Preparing to test memory region 7ff92cc70000 (16384 bytes)
*** Preparing to test memory region 7ff92cc80000 (8192 bytes)
*** Preparing to test memory region 7ff92cc90000 (8192 bytes)
.Segmentation fault (core dumped)
Additional information
- OS distribution and version unstable branch, commit #5460c10 (2022-1-3)
- Steps to reproduce (if any)
(a) Download the latest code and compile (b) Run ./redis-server in one console (c) Download the input file: https://raw.githubusercontent.com/zyingp/temp/master/redis/crash_addReplySubcommandSyntaxError (d) Open another console and run nc with the input file like: nc 127.0.0.1 6379 < "./crash_addReplySubcommandSyntaxError" (e) The server crashes.
- GDB output if we use gdb ./redis-server
gdb ./redis-server
GNU gdb (Ubuntu 8.1-0ubuntu3.1) 8.1.0.20180409-git
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./redis-server...done.
(gdb) run
Starting program: /mnt/d/zyp/fuzzer/memdbFuzz/visualstudio/afl-vs-raw/afl-vs-raw/bin/x64/Debug/redis-server
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
13493:C 07 Jan 2022 21:04:59.336 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
13493:C 07 Jan 2022 21:04:59.337 # Redis version=255.255.255, bits=64, commit=00000000, modified=0, pid=13493, just started
13493:C 07 Jan 2022 21:04:59.339 # Warning: no config file specified, using the default config. In order to specify a config file use /mnt/d/zyp/fuzzer/memdbFuzz/visualstudio/afl-vs-raw/afl-vs-raw/bin/x64/Debug/redis-server /path/to/redis.conf
13493:M 07 Jan 2022 21:04:59.341 * Increased maximum number of open files to 10032 (it was originally set to 1024).
13493:M 07 Jan 2022 21:04:59.342 * monotonic clock: POSIX clock_gettime
_._
_.-``__ ''-._
_.-`` `. `_. ''-._ Redis 255.255.255 (00000000/0) 64 bit
.-`` .-```. ```\/ _.,_ ''-._
( ' , .-` | `, ) Running in standalone mode
|`-._`-...-` __...-.``-._|'` _.-'| Port: 6379
| `-._ `._ / _.-' | PID: 13493
`-._ `-._ `-./ _.-' _.-'
|`-._`-._ `-.__.-' _.-'_.-'|
| `-._`-._ _.-'_.-' | https://redis.io
`-._ `-._`-.__.-'_.-' _.-'
|`-._`-._ `-.__.-' _.-'_.-'|
| `-._`-._ _.-'_.-' |
`-._ `-._`-.__.-'_.-' _.-'
`-._ `-.__.-' _.-'
`-._ _.-'
`-.__.-'
13493:M 07 Jan 2022 21:04:59.360 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
13493:M 07 Jan 2022 21:04:59.360 # Server initialized
13493:M 07 Jan 2022 21:04:59.361 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
[New Thread 0x7ffffddf0700 (LWP 13497)]
[New Thread 0x7ffffd5e0700 (LWP 13498)]
[New Thread 0x7ffffcdd0700 (LWP 13499)]
[New Thread 0x7ffffc5c0700 (LWP 13500)]
13493:M 07 Jan 2022 21:04:59.378 * Loading RDB produced by version 255.255.255
13493:M 07 Jan 2022 21:04:59.379 * RDB age 186821 seconds
13493:M 07 Jan 2022 21:04:59.382 * RDB memory usage when created 0.82 Mb
13493:M 07 Jan 2022 21:04:59.383 * Done loading RDB, keys loaded: 60, keys expired: 0.
13493:M 07 Jan 2022 21:04:59.383 * DB loaded from disk: 0.006 seconds
13493:M 07 Jan 2022 21:04:59.384 * Ready to accept connections
Thread 1 "redis-server" received signal SIGSEGV, Segmentation fault.
0x000000000048665e in addReplySubcommandSyntaxError (c=0x7ffffe32aa40) at networking.c:966
warning: Source file is more recent than executable.
966 (char*)c->argv[1]->ptr,cmd);
(gdb) bt
#0 0x000000000048665e in addReplySubcommandSyntaxError (c=0x7ffffe32aa40) at networking.c:966
#1 0x000000000045a527 in processCommand (c=0x7ffffe32aa40) at server.c:3290
#2 0x000000000049103f in processCommandAndResetClient (c=0x7ffffe32aa40) at networking.c:2171
#3 0x0000000000491573 in processInputBuffer (c=0x7ffffe32aa40) at networking.c:2266
#4 0x00000000004817c3 in readQueryFromClient (conn=<optimized out>) at networking.c:2378
#5 0x000000000060e8e6 in callHandler (conn=0x7ffffe21e5c0, handler=0x65737c6472616373) at ./connhelpers.h:79
#6 0x000000000060d4bb in connSocketEventHandler (el=<optimized out>, fd=<optimized out>, clientData=0x7ffffe21e5c0,
mask=<optimized out>) at connection.c:295
#7 0x0000000000441eb3 in aeProcessEvents (eventLoop=<optimized out>, flags=27) at ae.c:428
#8 0x000000000044281c in aeMain (eventLoop=0x7ffffe21f190) at ae.c:488
#9 0x00000000004684e8 in main (argc=<optimized out>, argv=0x7ffffffedfe8) at server.c:6541
(gdb) p *c
$1 = {id = 4, conn = 0x7ffffe21e5c0, resp = 2, db = 0x7ffffe304000, name = 0x0,
querybuf = 0x7ffffe330e85 "sadd set1 valuN1\r\nscard|set1\r\nspop set1\r\n", qb_pos = 30,
pending_querybuf = 0x7ffffe209f5b "", querybuf_peak = 41, argc = 1, argv = 0x7ffffe209f50, argv_len = 1,
original_argc = 0, original_argv = 0x0, argv_len_sum = 10, cmd = 0x0, lastcmd = 0x0, user = 0x7ffffe235000,
reqtype = 1, multibulklen = 0, bulklen = -1, reply = 0x7ffffe218f00, reply_bytes = 0, sentlen = 0,
ctime = 1641560704, duration = 14, lastinteraction = 1641560704, obuf_soft_limit_reached_time = 0, flags = 2097152,
authenticated = 1, replstate = 0, repl_put_online_on_ack = 0, repldbfd = 0, repldboff = 0, repldbsize = 0,
replpreamble = 0x0, read_reploff = 0, reploff = 0, repl_ack_off = 0, repl_ack_time = 0, repl_last_partial_write = 0,
psync_initial_offset = 0, replid = '\000' <repeats 40 times>, slave_listening_port = 0, slave_addr = 0x0,
slave_capa = 0, slave_req = 0, mstate = {commands = 0x0, count = 0, cmd_flags = 0, cmd_inv_flags = 0,
argv_len_sums = 0}, btype = 0, bpop = {count = 0, timeout = 0, keys = 0x7ffffe212108, target = 0x0, blockpos = {
wherefrom = 0, whereto = 0}, xread_count = 0, xread_group = 0x0, xread_consumer = 0x0, xread_group_noack = 0,
numreplicas = 0, reploffset = 0, module_blocked_handle = 0x0}, woff = 87, watched_keys = 0x7ffffe218f30,
pubsub_channels = 0x7ffffe212140, pubsub_patterns = 0x7ffffe218f60, pubsubshard_channels = 0x7ffffe212178,
peerid = 0x0, sockname = 0x0, client_list_node = 0x7ffffe250890, paused_list_node = 0x0,
pending_read_list_node = 0x0, auth_callback = 0x0, auth_callback_privdata = 0x0, auth_module = 0x0,
client_tracking_redirection = 0, client_tracking_prefixes = 0x0, last_memory_usage = 40960, last_memory_type = 0,
last_memory_usage_on_bucket_update = 40960, mem_usage_bucket_node = 0x7ffffe2508c0,
mem_usage_bucket = 0xa71118 <server+760>, ref_repl_buf_node = 0x0, ref_block_pos = 0, bufpos = 4,
buf_usable_size = 19792, buf = ":1\r\n", '\000' <repeats 16379 times>}
(gdb) p c->argv[1]
$2 = (robj *) 0x10400
(gdb) p *(c->argv[1])
Cannot access memory at address 0x10400
(gdb) quit
A debugging session is active.
Inferior 1 [process 13493] will be killed.
Quit anyway? (y or n) y
Comment From: itamarhaber
Thanks @zyingp - verified.
Comment From: enjoy-binbin
It looks like every command ending with | (or contains it, split("|"), then length == 2) will crash (unstable branch)
127.0.0.1:6379> scard|
Error: Server closed the connection
127.0.0.1:6379> set|
Error: Server closed the connection
127.0.0.1:6379> get|
Error: Server closed the connection
not connected> get|set
Error: Server closed the connection
in normal way, we need to return ASAP with (error) ERR unknown command error, like
127.0.0.1:6379> getaaa
(error) ERR unknown command 'getaaa', with args beginning with:
127.0.0.1:6379> get|anything|aaa
(error) ERR unknown command 'get|anything|aaa', with args beginning with:
it pass (error) ERR unknown command check, and finally crash in here, c->argv[1] is NULL
addReplySubcommandSyntaxError
addReplyErrorFormat(c,
"Unknown subcommand or wrong number of arguments for '%s'. Try %s HELP.",
(char*)c->argv[1]->ptr,cmd);
introduced in #9504
get| or get|anythings sdssplitlen make argv[0] became a valid command name, and then need to checks the subscommand
struct redisCommand *lookupCommandBySdsLogic(dict *commands, sds s) {
int argc, j;
sds *strings = sdssplitlen(s,sdslen(s),"|",1,&argc); ->>>>>>>>>>> here
if (strings == NULL)
return NULL;
if (argc > 2) {
/* Currently we support just one level of subcommands */
sdsfreesplitres(strings,argc);
return NULL;
}
robj objects[argc];
robj *argv[argc];
for (j = 0; j < argc; j++) {
initStaticStringObject(objects[j],strings[j]);
argv[j] = &objects[j];
}
struct redisCommand *cmd = lookupCommandLogic(commands,argv,argc);
sdsfreesplitres(strings,argc);
return cmd;
}
So i think a easy(quick) way to fix it is:
127.0.0.1:6379> get|set
(error) ERR unknown command 'get|set'.
diff:
void addReplySubcommandSyntaxError(client *c) {
sds cmd = sdsnew((char*) c->argv[0]->ptr);
sdstoupper(cmd);
- addReplyErrorFormat(c,
- "Unknown subcommand or wrong number of arguments for '%s'. Try %s HELP.",
- (char*)c->argv[1]->ptr,cmd);
+ if (c->argc == 1) {
+ addReplyErrorFormat(c, "unknown command '%s'.", (char*)c->argv[0]->ptr);
+ } else {
+ addReplyErrorFormat(c,
+ "Unknown subcommand or wrong number of arguments for '%s'. Try %s HELP.",
+ (char*)c->argv[1]->ptr,cmd);
+ }
sdsfree(cmd);
}
needed @oranagra @guybe7 check it again.
Comment From: oranagra
@zyingp for reporting. @enjoy-binbin your fix seems ok, maybe i would also limit the length of the reply, in case argv[1] is too long. however, i also wonder why at all we need to reach that function in this case.
c->cmd = c->lastcmd = lookupCommand(c->argv,c->argc);
if (!c->cmd) {
if (lookupCommandBySds(c->argv[0]->ptr)) {
/* If we can't find the command but argv[0] by itself is a command
* it means we're dealing with an invalid subcommand. Print Help. */
addReplySubcommandSyntaxError(c);
return C_OK;
}
- i don't think in this case we need to split the string with
|, but rather just look in the commands dict to find ifargv[0]is a container command (notlookupCommandBySds). - i think we may prefer to error using
rejectCommand(important in case we're inside a transaction)
please make a PR.