From a679185aa515e2f52d8a0f66c3972eb8f43d7fae Mon Sep 17 00:00:00 2001 From: antirez Date: Tue, 24 Aug 2010 11:45:05 +0200 Subject: [PATCH] sanity check for the bulk argument in protocol parsing code, fixing issue 146 --- src/redis.c | 17 +++++++++++++---- src/redis.h | 2 +- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/src/redis.c b/src/redis.c index 1a581a92..eade7868 100644 --- a/src/redis.c +++ b/src/redis.c @@ -912,9 +912,14 @@ int processCommand(redisClient *c) { resetClient(c); return 1; } else { - int bulklen = atoi(((char*)c->argv[0]->ptr)+1); + char *eptr; + long bulklen = strtol(((char*)c->argv[0]->ptr)+1,&eptr,10); + int perr = eptr[0] != '\0'; + decrRefCount(c->argv[0]); - if (bulklen < 0 || bulklen > 1024*1024*1024) { + if (perr || bulklen == LONG_MIN || bulklen == LONG_MAX || + bulklen < 0 || bulklen > 1024*1024*1024) + { c->argc--; addReplySds(c,sdsnew("-ERR invalid bulk write count\r\n")); resetClient(c); @@ -984,10 +989,14 @@ int processCommand(redisClient *c) { return 1; } else if (cmd->flags & REDIS_CMD_BULK && c->bulklen == -1) { /* This is a bulk command, we have to read the last argument yet. */ - int bulklen = atoi(c->argv[c->argc-1]->ptr); + char *eptr; + long bulklen = strtol(c->argv[c->argc-1]->ptr,&eptr,10); + int perr = eptr[0] != '\0'; decrRefCount(c->argv[c->argc-1]); - if (bulklen < 0 || bulklen > 1024*1024*1024) { + if (perr || bulklen == LONG_MAX || bulklen == LONG_MIN || + bulklen < 0 || bulklen > 1024*1024*1024) + { c->argc--; addReplySds(c,sdsnew("-ERR invalid bulk write count\r\n")); resetClient(c); diff --git a/src/redis.h b/src/redis.h index 781fb209..c35fe53a 100644 --- a/src/redis.h +++ b/src/redis.h @@ -283,7 +283,7 @@ typedef struct redisClient { sds querybuf; robj **argv, **mbargv; int argc, mbargc; - int bulklen; /* bulk read len. -1 if not in bulk read mode */ + long bulklen; /* bulk read len. -1 if not in bulk read mode */ int multibulk; /* multi bulk command format active */ list *reply; int sentlen; -- 2.45.2