Limiting output buffer for unauthenticated client (CVE-2025-21605) (#13993)

For unauthenticated clients the output buffer is limited to prevent them from abusing it by not reading the replies
2025-04-30 09:58:51 +03:00 · 2025-04-30 09:58:51 +03:00 · de16bee70a
parent 14dd59ab12
commit de16bee70a
2 changed files with 23 additions and 0 deletions
--- a/src/networking.c
+++ b/src/networking.c
@ -4217,6 +4217,11 @@ int checkClientOutputBufferLimits(client *c) {
    int soft = 0, hard = 0, class;
    unsigned long used_mem = getClientOutputBufferMemoryUsage(c);

+    /* For unauthenticated clients the output buffer is limited to prevent
+     * them from abusing it by not reading the replies */
+    if (used_mem > 1024 && authRequired(c))
+        return 1;
+
    class = getClientType(c);
    /* For the purpose of output buffer limiting, masters are handled
     * like normal clients. */
--- a/tests/unit/auth.tcl
+++ b/tests/unit/auth.tcl
@ -58,6 +58,24 @@ start_server {tags {"auth external:skip"} overrides {requirepass foobar}} {
        assert_match {*unauthenticated bulk length*} $e
        $rr close
    }
+
+    test {For unauthenticated clients output buffer is limited} {
+        set rr [redis [srv "host"] [srv "port"] 1 $::tls]
+        $rr SET x 5
+        catch {[$rr read]} e
+        assert_match {*NOAUTH Authentication required*} $e
+
+        # Fill the output buffer in a loop without reading it and make
+        # sure the client disconnected.
+        # Considering the socket eat some of the replies, we are testing
+        # that such client can't consume more than few MB's.
+        catch {
+            for {set j 0} {$j < 1000000} {incr j} {
+                    $rr SET x 5
+            }
+        } e
+        assert_match {I/O error reading reply} $e
+    }
 }

 start_server {tags {"auth_binary_password external:skip"}} {