]> git.saurik.com Git - redis.git/commitdiff
projects / redis.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e193873)
sanity check for the bulk argument in protocol parsing code, fixing issue 146
authorantirez <antirez@gmail.com>
Tue, 24 Aug 2010 09:45:05 +0000 (11:45 +0200)
committerantirez <antirez@gmail.com>
Tue, 24 Aug 2010 09:45:05 +0000 (11:45 +0200)
src/redis.c patch | blob | blame | history
src/redis.h patch | blob | blame | history

diff --git a/src/redis.c b/src/redis.c
index 1a581a92a2c607abb943820cf777506b988234c3..eade7868a1b37f5c6d57aed14e3beff72c1ff231 100644 (file)
--- a/src/redis.c
+++ b/src/redis.c
@@ -912,9 +912,14 @@ int processCommand(redisClient *c) {
                 resetClient(c);
                 return 1;
             } else {
-                int bulklen = atoi(((char*)c->argv[0]->ptr)+1);
+                char *eptr;
+                long bulklen = strtol(((char*)c->argv[0]->ptr)+1,&eptr,10);
+                int perr = eptr[0] != '\0';
+
                 decrRefCount(c->argv[0]);
-                if (bulklen < 0 || bulklen > 1024*1024*1024) {
+                if (perr || bulklen == LONG_MIN || bulklen == LONG_MAX ||
+                    bulklen < 0 || bulklen > 1024*1024*1024)
+                {
                     c->argc--;
                     addReplySds(c,sdsnew("-ERR invalid bulk write count\r\n"));
                     resetClient(c);
@@ -984,10 +989,14 @@ int processCommand(redisClient *c) {
         return 1;
     } else if (cmd->flags & REDIS_CMD_BULK && c->bulklen == -1) {
         /* This is a bulk command, we have to read the last argument yet. */
-        int bulklen = atoi(c->argv[c->argc-1]->ptr);
+        char *eptr;
+        long bulklen = strtol(c->argv[c->argc-1]->ptr,&eptr,10);
+        int perr = eptr[0] != '\0';
 
         decrRefCount(c->argv[c->argc-1]);
-        if (bulklen < 0 || bulklen > 1024*1024*1024) {
+        if (perr || bulklen == LONG_MAX || bulklen == LONG_MIN ||
+            bulklen < 0 || bulklen > 1024*1024*1024)
+        {
             c->argc--;
             addReplySds(c,sdsnew("-ERR invalid bulk write count\r\n"));
             resetClient(c);
diff --git a/src/redis.h b/src/redis.h
index 781fb209e2274328e3a3ff6b393e133f06144da1..c35fe53a2caffe39479ba17db2edd28a20fea0b8 100644 (file)
--- a/src/redis.h
+++ b/src/redis.h
@@ -283,7 +283,7 @@ typedef struct redisClient {
     sds querybuf;
     robj **argv, **mbargv;
     int argc, mbargc;
-    int bulklen;            /* bulk read len. -1 if not in bulk read mode */
+    long bulklen;            /* bulk read len. -1 if not in bulk read mode */
     int multibulk;          /* multi bulk command format active */
     list *reply;
     int sentlen;
Redis += OpenLDAP MDB