From de16bee70a7533119f45c8f7b62a36861f1b2193 Mon Sep 17 00:00:00 2001 From: YaacovHazan <31382944+YaacovHazan@users.noreply.github.com> Date: Wed, 30 Apr 2025 09:58:51 +0300 Subject: [PATCH] Limiting output buffer for unauthenticated client (CVE-2025-21605) (#13993) For unauthenticated clients the output buffer is limited to prevent them from abusing it by not reading the replies --- src/networking.c | 5 +++++ tests/unit/auth.tcl | 18 ++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/src/networking.c b/src/networking.c index 3dd02f3e1..8a9dfe8fa 100644 --- a/src/networking.c +++ b/src/networking.c @@ -4217,6 +4217,11 @@ int checkClientOutputBufferLimits(client *c) { int soft = 0, hard = 0, class; unsigned long used_mem = getClientOutputBufferMemoryUsage(c); + /* For unauthenticated clients the output buffer is limited to prevent + * them from abusing it by not reading the replies */ + if (used_mem > 1024 && authRequired(c)) + return 1; + class = getClientType(c); /* For the purpose of output buffer limiting, masters are handled * like normal clients. */ diff --git a/tests/unit/auth.tcl b/tests/unit/auth.tcl index 023101fdf..8be729824 100644 --- a/tests/unit/auth.tcl +++ b/tests/unit/auth.tcl @@ -58,6 +58,24 @@ start_server {tags {"auth external:skip"} overrides {requirepass foobar}} { assert_match {*unauthenticated bulk length*} $e $rr close } + + test {For unauthenticated clients output buffer is limited} { + set rr [redis [srv "host"] [srv "port"] 1 $::tls] + $rr SET x 5 + catch {[$rr read]} e + assert_match {*NOAUTH Authentication required*} $e + + # Fill the output buffer in a loop without reading it and make + # sure the client disconnected. + # Considering the socket eat some of the replies, we are testing + # that such client can't consume more than few MB's. + catch { + for {set j 0} {$j < 1000000} {incr j} { + $rr SET x 5 + } + } e + assert_match {I/O error reading reply} $e + } } start_server {tags {"auth_binary_password external:skip"}} {