36 lines
1.2 KiB
Diff
36 lines
1.2 KiB
Diff
From ef78ba0a7793a0b6be026ec77ef3c7e919efa08a Mon Sep 17 00:00:00 2001
|
|
From: Oran Agra <oran@redislabs.com>
|
|
Date: Mon, 3 May 2021 08:27:22 +0300
|
|
Subject: [PATCH] Fix integer overflow in intset (CVE-2021-29478)
|
|
|
|
An integer overflow bug in Redis 6.2 could be exploited to corrupt the heap and
|
|
potentially result with remote code execution.
|
|
|
|
The vulnerability involves changing the default set-max-intset-entries
|
|
configuration value, creating a large set key that consists of integer values
|
|
and using the COPY command to duplicate it.
|
|
|
|
The integer overflow bug exists in all versions of Redis starting with 2.6,
|
|
where it could result with a corrupted RDB or DUMP payload, but not exploited
|
|
through COPY (which did not exist before 6.2).
|
|
---
|
|
src/intset.c | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/src/intset.c b/src/intset.c
|
|
index 198c90a..8d35536 100644
|
|
--- a/src/intset.c
|
|
+++ b/src/intset.c
|
|
@@ -278,7 +278,7 @@ uint32_t intsetLen(const intset *is) {
|
|
|
|
/* Return intset blob size in bytes. */
|
|
size_t intsetBlobLen(intset *is) {
|
|
- return sizeof(intset)+intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
|
|
+ return sizeof(intset)+(size_t)intrev32ifbe(is->length)*intrev32ifbe(is->encoding);
|
|
}
|
|
|
|
#ifdef REDIS_TEST
|
|
--
|
|
2.23.0
|
|
|