Prevent clients from making too large multibulk requests

diff --git a/src/networking.c b/src/networking.c
index e2e25207b5d025b49063ad58450478d38121d1b1..46d49bf6c5639febe72696852f06afe5cff56b0b 100644 (file)
--- a/src/networking.c
+++ b/src/networking.c
@@ -724,6 +724,10 @@ int processMultibulkBuffer(redisClient *c) {
         if (c->multibulklen <= 0) {
             c->querybuf = sdsrange(c->querybuf,pos,-1);
             return REDIS_OK;
+        } else if (c->multibulklen > 1024*1024) {
+            addReplyError(c,"Protocol error: invalid multibulk length");
+            setProtocolError(c,pos);
+            return REDIS_ERR;
         }
 
         /* Setup argv array on client structure */

diff --git a/tests/unit/protocol.tcl b/tests/unit/protocol.tcl
index d1fadffbc7265ed6609dd8622dfceaa8b9152c99..b0faf5dd74ed0dfe33f7620203560d5b52983fb8 100644 (file)
--- a/tests/unit/protocol.tcl
+++ b/tests/unit/protocol.tcl
@@ -13,6 +13,13 @@ start_server {tags {"protocol"}} {
         assert_equal PONG [r ping]
     }
 
+    test "Out of range multibulk length" {
+        reconnect
+        r write "*20000000\r\n"
+        r flush
+        assert_error "*invalid multibulk length*" {r read}
+    }
+
     test "Wrong multibulk payload header" {
         reconnect
         r write "*3\r\n\$3\r\nSET\r\n\$1\r\nx\r\nfooz\r\n"