- 17 5月, 2017 1 次提交
-
-
由 antirez 提交于
-
- 15 5月, 2017 1 次提交
-
-
由 antirez 提交于
Close #3993.
-
- 21 4月, 2017 4 次提交
- 20 4月, 2017 1 次提交
-
-
由 张文康 提交于
-
- 14 4月, 2017 1 次提交
-
-
由 antirez 提交于
And many other related Github issues... all reporting the same problem. There was probably just not enough backlog in certain unlucky runs. I'll ask people that can reporduce if they see now this as fixed as well.
-
- 20 2月, 2017 2 次提交
-
-
由 John.Koepi 提交于
-
由 antirez 提交于
Close #3804.
-
- 12 2月, 2017 2 次提交
-
-
由 antirez 提交于
-
由 antirez 提交于
This reverts commit 153f2f00. Jemalloc 4.4.0 is apparently causing deadlocks in certain systems. See for example https://github.com/antirez/redis/issues/3799. As a cautionary step we are reverting the commit back and releasing a new stable Redis version.
-
- 09 2月, 2017 1 次提交
-
-
由 antirez 提交于
After investigating issue #3796, it was discovered that MIGRATE could call migrateCloseSocket() after the original MIGRATE c->argv was already rewritten as a DEL operation. As a result the host/port passed to migrateCloseSocket() could be anything, often a NULL pointer that gets deferenced crashing the server. Now the socket is closed at an earlier time when there is a socket error in a later stage where no retry will be performed, before we rewrite the argument vector. Moreover a check was added so that later, in the socket_err label, there is no further attempt at closing the socket if the argument was rewritten. This fix should resolve the bug reported in #3796.
-
- 31 1月, 2017 1 次提交
-
-
由 antirez 提交于
-
- 30 1月, 2017 7 次提交
-
-
由 antirez 提交于
Ziplists had a bug that was discovered while investigating a different issue, resulting in a corrupted ziplist representation, and a likely segmentation foult and/or data corruption of the last element of the ziplist, once the ziplist is accessed again. The bug happens when a specific set of insertions / deletions is performed so that an entry is encoded to have a "prevlen" field (the length of the previous entry) of 5 bytes but with a count that could be encoded in a "prevlen" field of a since byte. This could happen when the "cascading update" process called by ziplistInsert()/ziplistDelete() in certain contitious forces the prevlen to be bigger than necessary in order to avoid too much data moving around. Once such an entry is generated, inserting a very small entry immediately before it will result in a resizing of the ziplist for a count smaller than the current ziplist length (which is a violation, inserting code expects the ziplist to get bigger actually). So an FF byte is inserted in a misplaced position. Moreover a realloc() is performed with a count smaller than the ziplist current length so the final bytes could be trashed as well. SECURITY IMPLICATIONS: Currently it looks like an attacker can only crash a Redis server by providing specifically choosen commands. However a FF byte is written and there are other memory operations that depend on a wrong count, so even if it is not immediately apparent how to mount an attack in order to execute code remotely, it is not impossible at all that this could be done. Attacks always get better... and we did not spent enough time in order to think how to exploit this issue, but security researchers or malicious attackers could. REPRODUCING: The bug can be reproduced with the following commands. redis-cli del list redis-cli rpush list one redis-cli rpush list two redis-cli rpush list AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA redis-cli rpush list AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA redis-cli rpush list three redis-cli rpush list a redis-cli lrem list 1 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA redis-cli linsert list after AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 10 redis-cli lrange list 0 -1 Instead of "rpush list a", use "rpush list 10" in order to trigger a data corruption instead of a crash.
-
由 antirez 提交于
The original jemalloc source tree was modified to: 1. Remove the configure error that prevents nested builds. 2. Insert the Redis private Jemalloc API in order to allow the Redis fragmentation function to work.
-
由 miter 提交于
-
由 oranagra 提交于
getExpire calls dictFind which can do rehashing. found by calling computeDatasetDigest from serverCron and running the test suite.
-
-
由 antirez 提交于
This problem was properly solved in 4.0 / unstable. Here is just a quick fix for the warning.
-
由 antirez 提交于
This is an attempt at mitigating problems due to cross protocol scripting, an attack targeting services using line oriented protocols like Redis that can accept HTTP requests as valid protocol, by discarding the invalid parts and accepting the payloads sent, for example, via a POST request. For this to be effective, when we detect POST and Host: and terminate the connection asynchronously, the networking code was modified in order to never process further input. It was later verified that in a pipelined request containing a POST command, the successive commands are not executed.
-
- 27 1月, 2017 2 次提交
-
-
由 antirez 提交于
-
由 Jan-Erik Rediger 提交于
-
- 21 12月, 2016 1 次提交
-
-
由 Yossi Gottlieb 提交于
This happens if the server (mysteriously) returns an unexpected response to the COMMAND command.
-
- 14 12月, 2016 2 次提交
-
-
由 antirez 提交于
After the fix for #3673 the ttl var is always initialized inside the loop itself, so the early initialization is not needed. Variables declaration also moved to a more local scope.
-
由 Jan-Erik Rediger 提交于
Before, if a previous key had a TTL set but the current one didn't, the TTL was reused and thus resulted in wrong expirations set. This behaviour was experienced, when `MigrateDefaultPipeline` in redis-trib was set to >1 Fixes #3655
-
- 06 12月, 2016 1 次提交
-
-
由 antirez 提交于
-
- 05 12月, 2016 2 次提交
-
-
由 antirez 提交于
The test now uses more diverse radius sizes, especially sizes near or greater the whole earth surface are used, that are known to trigger edge cases. Moreover the PRNG seeding was probably resulting into the same sequence tested over and over again, now seeding unsing the current unix time in milliseconds. Related to #3631.
-
由 antirez 提交于
A bug was reported in the context in issue #3631. The root cause of the bug was that certain neighbor boxes were zeroed after the "inside the bounding box or not" check, simply because the bounding box computation function was wrong. A few debugging infos where enhanced and moved in other parts of the code. A check to avoid steps=0 was added, but is unrelated to this issue and I did not verified it was an actual bug in practice.
-
- 16 11月, 2016 1 次提交
-
-
由 antirez 提交于
-
- 31 10月, 2016 3 次提交
- 26 10月, 2016 3 次提交
-
-
由 antirez 提交于
-
由 zach shipko 提交于
-
由 antirez 提交于
Compiling Redis worked as a side effect of jemalloc target specifying -ldl as needed linker options, otherwise it is not provided during linking and dlopen() API will remain unresolved symbols.
-
- 26 9月, 2016 3 次提交
-
-
由 antirez 提交于
-
由 antirez 提交于
-
由 antirez 提交于
This commit fixes a vunlerability reported by Cory Duplantis of Cisco Talos, see TALOS-2016-0206 for reference. CONFIG SET client-output-buffer-limit accepts as client class "master" which is actually only used to implement CLIENT KILL. The "master" class has ID 3. What happens is that the global structure: server.client_obuf_limits[class] Is accessed with class = 3. However it is a 3 elements array, so writing the 4th element means to write up to 24 bytes of memory *after* the end of the array, since the structure is defined as: typedef struct clientBufferLimitsConfig { unsigned long long hard_limit_bytes; unsigned long long soft_limit_bytes; time_t soft_limit_seconds; } clientBufferLimitsConfig; EVALUATION OF IMPACT: Checking what's past the boundaries of the array in the global 'server' structure, we find AOF state fields: clientBufferLimitsConfig client_obuf_limits[CLIENT_TYPE_OBUF_COUNT]; /* AOF persistence */ int aof_state; /* AOF_(ON|OFF|WAIT_REWRITE) */ int aof_fsync; /* Kind of fsync() policy */ char *aof_filename; /* Name of the AOF file */ int aof_no_fsync_on_rewrite; /* Don't fsync if a rewrite is in prog. */ int aof_rewrite_perc; /* Rewrite AOF if % growth is > M and... */ off_t aof_rewrite_min_size; /* the AOF file is at least N bytes. */ off_t aof_rewrite_base_size; /* AOF size on latest startup or rewrite. */ off_t aof_current_size; /* AOF current size. */ Writing to most of these fields should be harmless and only cause problems in Redis persistence that should not escalate to security problems. However unfortunately writing to "aof_filename" could be potentially a security issue depending on the access pattern. Searching for "aof.filename" accesses in the source code returns many different usages of the field, including using it as input for open(), logging to the Redis log file or syslog, and calling the rename() syscall. It looks possible that attacks could lead at least to informations disclosure of the state and data inside Redis. However note that the attacker must already have access to the server. But, worse than that, it looks possible that being able to change the AOF filename can be used to mount more powerful attacks: like overwriting random files with AOF data (easily a potential security issue as demostrated here: http://antirez.com/news/96), or even more subtle attacks where the AOF filename is changed to a path were a malicious AOF file is loaded in order to exploit other potential issues when the AOF parser is fed with untrusted input (no known issue known currently). The fix checks the places where the 'master' class is specifiedf in order to access configuration data structures, and return an error in this cases. WHO IS AT RISK? The "master" client class was introduced in Redis in Jul 28 2015. Every Redis instance released past this date is not vulnerable while all the releases after this date are. Notably: Redis 3.0.x is NOT vunlerable. Redis 3.2.x IS vulnerable. Redis unstable is vulnerable. In order for the instance to be at risk, at least one of the following conditions must be true: 1. The attacker can access Redis remotely and is able to send the CONFIG SET command (often banned in managed Redis instances). 2. The attacker is able to control the "redis.conf" file and can wait or trigger a server restart. The problem was fixed 26th September 2016 in all the releases affected.
-
- 12 9月, 2016 1 次提交
-
-
由 antirez 提交于
This commit attempts to fix a problem with PR #3467.
-