upstream/redis
1
0
Fork 0
mirror of https://github.com/redis/redis.git synced 2026-02-03 20:39:54 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
redis/src
History
antirez 48e24d54b7 Ziplist: insertion bug under particular conditions fixed. 
Ziplists had a bug that was discovered while investigating a different
issue, resulting in a corrupted ziplist representation, and a likely
segmentation foult and/or data corruption of the last element of the
ziplist, once the ziplist is accessed again.

The bug happens when a specific set of insertions / deletions is
performed so that an entry is encoded to have a "prevlen" field (the
length of the previous entry) of 5 bytes but with a count that could be
encoded in a "prevlen" field of a since byte. This could happen when the
"cascading update" process called by ziplistInsert()/ziplistDelete() in
certain contitious forces the prevlen to be bigger than necessary in
order to avoid too much data moving around.

Once such an entry is generated, inserting a very small entry
immediately before it will result in a resizing of the ziplist for a
count smaller than the current ziplist length (which is a violation,
inserting code expects the ziplist to get bigger actually). So an FF
byte is inserted in a misplaced position. Moreover a realloc() is
performed with a count smaller than the ziplist current length so the
final bytes could be trashed as well.

SECURITY IMPLICATIONS:

Currently it looks like an attacker can only crash a Redis server by
providing specifically choosen commands. However a FF byte is written
and there are other memory operations that depend on a wrong count, so
even if it is not immediately apparent how to mount an attack in order
to execute code remotely, it is not impossible at all that this could be
done. Attacks always get better... and we did not spent enough time in
order to think how to exploit this issue, but security researchers
or malicious attackers could.
2017-02-01 15:03:18 +01:00
..
.gitignore Ignore gcov/lcov artifacts 2012-04-13 17:52:33 -07:00
adlist.c Fix typos 2014-10-06 10:07:01 +02:00
adlist.h BSD license added to every C source and header file. 2012-11-08 18:31:32 +01:00
ae.c Remove redundant event loop fd processing 2014-08-26 10:41:02 +02:00
ae.h ae.c event loop: API to resize the fd set size on the run. 2013-06-28 16:39:49 +02:00
ae_epoll.c Fixed grammar: before H the article is a, not an. 2013-12-05 16:35:32 +01:00
ae_evport.c ae.c event loop: API to resize the fd set size on the run. 2013-06-28 16:39:49 +02:00
ae_kqueue.c No more trailing spaces in Redis source code. 2014-06-26 18:48:47 +02:00
ae_select.c ae.c event loop: API to resize the fd set size on the run. 2013-06-28 16:39:49 +02:00
anet.c anet.c: new API anetTcpNonBlockBestEffortBindConnect() 2015-06-11 13:01:04 +02:00
anet.h anet.c: new API anetTcpNonBlockBestEffortBindConnect() 2015-06-11 13:01:04 +02:00
aof.c bugfix: errno might change before logging 2015-07-17 10:47:26 +02:00
asciilogo.h BSD license added to every C source and header file. 2012-11-08 18:31:32 +01:00
bio.c Fixed many typos. 2013-01-19 10:59:44 +01:00
bio.h Make bio.c threads killable ASAP if needed. 2012-11-22 10:12:11 +01:00
bitops.c bitops.c/bitopCommand: skip short minlen for FAST PATH 2014-12-09 12:46:43 +01:00
blocked.c Replication: disconnect blocked clients when switching to slave role. 2015-03-24 16:16:44 +01:00
cluster.c Cluster: handle zero bytes at the end of nodes.conf. 2016-12-06 09:06:20 +01:00
cluster.h Cluster: clarify node->slave may be NULL. 2016-01-25 15:21:43 +01:00
config.c Fix memory leak in masterauth config option loading. 2016-01-26 14:21:49 +01:00
config.h HAVE_SYNC_FILE_RANGE should be protected by ifdef __linux__. 2015-03-18 11:29:32 +01:00
crc16.c No more trailing spaces in Redis source code. 2014-06-26 18:48:47 +02:00
crc64.c crc64.c modified for incremental computation. 2012-04-09 12:20:47 +02:00
crc64.h Introduced the Build ID in INFO and --version output. 2012-11-29 14:20:08 +01:00
db.c Fix 3.0 merge issues with new MIGRATE. 2015-12-13 10:23:04 +01:00
debug.c fix sprintf and snprintf format string 2015-12-18 09:10:51 +01:00
dict.c dict.c: remove dictGetRandomKeys() API, no longer used. 2015-04-01 15:50:54 +02:00
dict.h dict.c: remove dictGetRandomKeys() API, no longer used. 2015-04-01 15:50:54 +02:00
endianconv.c endian.c/h -> endianconv.c/h to avoid issues with broken libraries search paths. 2012-02-14 16:11:46 +01:00
endianconv.h No more trailing spaces in Redis source code. 2014-06-26 18:48:47 +02:00
fmacros.h Silence _BSD_SOURCE warnings in glibc 2.20 and forward 2014-12-09 12:24:28 +01:00
help.h Update redis-cli help and the script to generate it. 2015-11-17 15:40:18 +01:00
hyperloglog.c Over 80 chars comment trimmed in pfcountCommand(). 2014-12-02 17:03:20 +01:00
intset.c Fix intset midpoint selection 2014-08-26 10:41:01 +02:00
intset.h BSD license added to every C source and header file. 2012-11-08 18:31:32 +01:00
latency.c Fix iterator for issue #2438. 2015-03-04 11:49:48 -08:00
latency.h Separate latency monitoring of eviction loop and eviction DELs. 2015-02-11 11:01:46 +01:00
lzf.h No more trailing spaces in Redis source code. 2014-06-26 18:48:47 +02:00
lzf_c.c No more trailing spaces in Redis source code. 2014-06-26 18:48:47 +02:00
lzf_d.c No more trailing spaces in Redis source code. 2014-06-26 18:48:47 +02:00
lzfP.h No more trailing spaces in Redis source code. 2014-06-26 18:48:47 +02:00
Makefile Add "-lrt" in Makefile for Solaris. 2015-01-09 11:54:50 +01:00
Makefile.dep Dependencies updated. 2014-07-18 12:20:55 +02:00
memtest.c Include stropts only if __sun is defined. 2014-12-09 12:59:36 +01:00
mkreleasehdr.sh suppress external diff program when using git diff. 2013-02-24 18:17:46 +01:00
multi.c Cleanup double semicolons 2014-08-26 10:41:02 +02:00
networking.c additional fix to issue #2948 2016-05-05 14:01:08 +02:00
notify.c Fix keyspace events flags-to-string conversion. 2014-01-08 17:18:34 +01:00
object.c Handle infinite explicitly in createStringObjectFromLongLong(). 2014-12-03 10:41:03 +01:00
pqsort.c No more trailing spaces in Redis source code. 2014-06-26 18:48:47 +02:00
pqsort.h BSD license added to every C source and header file. 2012-11-08 18:31:32 +01:00
pubsub.c pubsub: Return integers for NUMSUB, not strings 2014-08-26 10:41:02 +02:00
rand.c Use 'void' for zero-argument functions 2014-08-26 10:41:02 +02:00
rand.h BSD license added to every C source and header file. 2012-11-08 18:31:32 +01:00
rdb.c Fix merge issues in 490847c. 2015-09-07 17:29:21 +02:00
rdb.h Diskless replication: RDB -> slaves transfer draft implementation. 2014-10-29 14:26:47 +01:00
redis-benchmark.c FIXED redis-benchmark's idle mode.With idle mode shouldn't create write event 2014-12-11 15:21:42 +01:00
redis-check-aof.c BSD license added to every C source and header file. 2012-11-08 18:31:32 +01:00
redis-check-dump.c Cleanup double semicolons 2014-08-26 10:41:02 +02:00
redis-cli.c Fix nanosecond conversion 2016-05-05 16:21:43 +02:00
redis-trib.rb fix variable 2016-05-05 08:56:58 +02:00
redis.c Cluster: make getNodeByQuery() responsible of -CLUSTERDOWN errors. 2016-05-05 11:47:01 +02:00
redis.h Typo ASII -> ASCII fixed in comment. 2016-01-29 12:08:37 +01:00
redisassert.h assert.h replaced with redisassert.h when appropriate. 2013-08-19 15:01:21 +02:00
release.c No more trailing spaces in Redis source code. 2014-06-26 18:48:47 +02:00
replication.c Minor changes to PR #2813. 2015-10-15 10:22:13 +02:00
rio.c Translate rio fdset target EWOULDBLOCK error into ETIMEDOUT. 2014-10-29 14:26:48 +01:00
rio.h Diskless replication: rio fdset target new supports buffering. 2014-10-29 14:26:48 +01:00
scripting.c Removed dofile() from Lua 2016-05-08 18:05:07 +02:00
sds.c sdsfree x and y 2015-05-04 13:03:01 +02:00
sds.h Use unsigned integers in SDS header. 2014-08-26 10:41:02 +02:00
sentinel.c fix comment "b>a" to "a > b" 2016-06-07 14:42:50 +08:00
setproctitle.c Set proctitle: avoid the use of __attribute__((constructor)). 2013-02-27 11:50:35 +01:00
sha1.c sha1.c: use standard uint32_t. 2015-04-27 12:07:59 +02:00
sha1.h sha1.c: use standard uint32_t. 2015-04-27 12:07:59 +02:00
slowlog.c Introduction of a new string encoding: EMBSTR 2013-07-22 10:31:38 +02:00
slowlog.h BSD license added to every C source and header file. 2012-11-08 18:31:32 +01:00
solarisfixes.h Check for __sun macro in solarisfixes.h, not in includers. 2015-01-09 11:22:14 +01:00
sort.c Removed incorrect suggestion 2015-05-29 12:27:59 +02:00
sparkline.c sparkline.c: AddSample skip Empty label 2014-12-09 11:28:50 +01:00
sparkline.h LATENCY GRAPH implemented. 2014-07-18 12:20:55 +02:00
syncio.c syncWithMaster(): non blocking state machine. 2015-08-07 12:20:03 +02:00
t_hash.c Use exp format and more precision output for ZSCAN. 2014-12-03 10:41:03 +01:00
t_list.c Fix NOTIFY macro names after cherry pick of fix. 2016-02-05 15:57:42 +01:00
t_set.c Rewrite smoveCommand test with ternary operator 2015-05-15 17:39:37 +02:00
t_string.c Use exp format and more precision output for ZSCAN. 2014-12-03 10:41:03 +01:00
t_zset.c Update t_zset.c 2015-06-11 15:15:45 +02:00
testhelp.h BSD license added to every C source and header file. 2012-11-08 18:31:32 +01:00
util.c Better memtoll() error checking. 2015-02-12 16:54:38 +01:00
util.h pathIsBaseName() added to utils.c 2013-07-02 12:08:07 +02:00
valgrind.sup more valgrind friendly test 2011-07-06 15:22:00 +02:00
version.h Redis 3.0.7. 2016-01-25 15:54:36 +01:00
ziplist.c Ziplist: insertion bug under particular conditions fixed. 2017-02-01 15:03:18 +01:00
ziplist.h BSD license added to every C source and header file. 2012-11-08 18:31:32 +01:00
zipmap.c zipmap.c: update comments above 2014-12-09 16:01:11 +01:00
zipmap.h mistype fixed 2013-09-03 15:15:51 +02:00
zmalloc.c Fix non-linux builds error introduced with THP checks. 2014-11-14 17:19:58 +01:00
zmalloc.h THP detection / reporting functions added. 2014-11-12 11:17:44 +01:00