Integer Overflow in RAND commands can lead to assertion (CVE-2023-25155) (#11857)

Issue happens when passing a negative long value that greater than the max positive value that the long can store.
2023-02-28 15:15:46 +02:00 · 2023-02-28 15:15:46 +02:00 · b1939b052a
commit b1939b052a
parent dcbfcb916c
6 changed files with 14 additions and 5 deletions
--- a/src/t_hash.c
+++ b/src/t_hash.c
@ -1120,13 +1120,13 @@ void hrandfieldCommand(client *c) {
    listpackEntry ele;

    if (c->argc >= 3) {
-        if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
+        if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return;
        if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withvalues"))) {
            addReplyErrorObject(c,shared.syntaxerr);
            return;
        } else if (c->argc == 4) {
            withvalues = 1;
-            if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+            if (l < -LONG_MAX/2 || l > LONG_MAX/2) {
                addReplyError(c,"value is out of range");
                return;
            }
--- a/src/t_set.c
+++ b/src/t_set.c
@ -984,7 +984,7 @@ void srandmemberWithCountCommand(client *c) {

    dict *d;

-    if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
+    if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return;
    if (l >= 0) {
        count = (unsigned long) l;
    } else {
--- a/src/t_zset.c
+++ b/src/t_zset.c
@ -4317,13 +4317,13 @@ void zrandmemberCommand(client *c) {
    listpackEntry ele;

    if (c->argc >= 3) {
-        if (getLongFromObjectOrReply(c,c->argv[2],&l,NULL) != C_OK) return;
+        if (getRangeLongFromObjectOrReply(c,c->argv[2],-LONG_MAX,LONG_MAX,&l,NULL) != C_OK) return;
        if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withscores"))) {
            addReplyErrorObject(c,shared.syntaxerr);
            return;
        } else if (c->argc == 4) {
            withscores = 1;
-            if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+            if (l < -LONG_MAX/2 || l > LONG_MAX/2) {
                addReplyError(c,"value is out of range");
                return;
            }
--- a/tests/unit/type/hash.tcl
+++ b/tests/unit/type/hash.tcl
@ -74,6 +74,8 @@ start_server {tags {"hash"}} {
    test "HRANDFIELD count overflow" {
        r hmset myhash a 1
        assert_error {*value is out of range*} {r hrandfield myhash -9223372036854770000 withvalues}
+        assert_error {*value is out of range*} {r hrandfield myhash -9223372036854775808 withvalues}
+        assert_error {*value is out of range*} {r hrandfield myhash -9223372036854775808}
    } {}

    test "HRANDFIELD with <count> against non existing key" {
--- a/tests/unit/type/set.tcl
+++ b/tests/unit/type/set.tcl
@ -745,6 +745,11 @@ start_server {
        r srandmember nonexisting_key 100
    } {}

+    test "SRANDMEMBER count overflow" {
+        r sadd myset a
+        assert_error {*value is out of range*} {r srandmember myset -9223372036854775808}
+    } {}
+
    # Make sure we can distinguish between an empty array and a null response
    r readraw 1

--- a/tests/unit/type/zset.tcl
+++ b/tests/unit/type/zset.tcl
@ -2325,6 +2325,8 @@ start_server {tags {"zset"}} {
    test "ZRANDMEMBER count overflow" {
        r zadd myzset 0 a
        assert_error {*value is out of range*} {r zrandmember myzset -9223372036854770000 withscores}
+        assert_error {*value is out of range*} {r zrandmember myzset -9223372036854775808 withscores}
+        assert_error {*value is out of range*} {r zrandmember myzset -9223372036854775808}
    } {}

    # Make sure we can distinguish between an empty array and a null response