Fix range issues in ZRANDMEMBER and HRANDFIELD (CVE-2023-22458)

missing range check in ZRANDMEMBER and HRANDIFLD leading to panic due to protocol limitations
2023-01-01 19:44:12 +02:00 · 2023-01-01 19:44:12 +02:00 · 37b3b2a7e0
parent 5453899878
commit 37b3b2a7e0
4 changed files with 22 additions and 2 deletions
--- a/src/t_hash.c
+++ b/src/t_hash.c
@ -1196,8 +1196,13 @@ void hrandfieldCommand(client *c) {
        if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withvalues"))) {
            addReplyErrorObject(c,shared.syntaxerr);
            return;
-        } else if (c->argc == 4)
+        } else if (c->argc == 4) {
            withvalues = 1;
+            if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+                addReplyError(c,"value is out of range");
+                return;
+            }
+        }
        hrandfieldWithCountCommand(c, l, withvalues);
        return;
    }
--- a/src/t_zset.c
+++ b/src/t_zset.c
@ -4242,8 +4242,13 @@ void zrandmemberCommand(client *c) {
        if (c->argc > 4 || (c->argc == 4 && strcasecmp(c->argv[3]->ptr,"withscores"))) {
            addReplyErrorObject(c,shared.syntaxerr);
            return;
-        } else if (c->argc == 4)
+        } else if (c->argc == 4) {
            withscores = 1;
+            if (l < LONG_MIN/2 || l > LONG_MAX/2) {
+                addReplyError(c,"value is out of range");
+                return;
+            }
+        }
        zrandmemberWithCountCommand(c, l, withscores);
        return;
    }
--- a/tests/unit/type/hash.tcl
+++ b/tests/unit/type/hash.tcl
@ -68,6 +68,11 @@ start_server {tags {"hash"}} {
        r hrandfield myhash 0
    } {}

+    test "HRANDFIELD count overflow" {
+        r hmset myhash a 1
+        assert_error {*value is out of range*} {r hrandfield myhash -9223372036854770000 withvalues}
+    } {}
+
    test "HRANDFIELD with <count> against non existing key" {
        r hrandfield nonexisting_key 100
    } {}
--- a/tests/unit/type/zset.tcl
+++ b/tests/unit/type/zset.tcl
@ -1735,6 +1735,11 @@ start_server {tags {"zset"}} {
        r zrandmember nonexisting_key 100
    } {}

+    test "ZRANDMEMBER count overflow" {
+        r zadd myzset 0 a
+        assert_error {*value is out of range*} {r zrandmember myzset -9223372036854770000 withscores}
+    } {}
+
    # Make sure we can distinguish between an empty array and a null response
    r readraw 1