Security: fix redis-cli buffer overflow.

Thanks to Fakhri Zulkifli for reporting it. The fix switched to dynamic allocation, copying the final prompt in the static buffer only at the end.

Security: fix redis-cli buffer overflow.
Thanks to Fakhri Zulkifli for reporting it. The fix switched to dynamic allocation, copying the final prompt in the static buffer only at the end.
9fdcc159 · antirez · cf760071 · 9fdcc159
隐藏空白更改
内联并排

Showing with 16 addition and 11 deletion

src/redis-cli.c src/redis-cli.c +16 -11

未找到文件。
--- a/src/redis-cli.c
+++ b/src/redis-cli.c
@@ -152,20 +152,25 @@ static long long mstime(void) {
 }
 static void cliRefreshPrompt(void) {
-    int len;
    if (config.eval_ldb) return;
-    if (config.hostsocket != NULL)
-        len = snprintf(config.prompt,sizeof(config.prompt),"redis %s",
+    sds prompt = sdsempty();
-                       config.hostsocket);
+    if (config.hostsocket != NULL) {
-    else
+        prompt = sdscatfmt(prompt,"redis %s",config.hostsocket);
-        len = anetFormatAddr(config.prompt, sizeof(config.prompt),
+    } else {
-                           config.hostip, config.hostport);
+        char addr[256];
+        anetFormatAddr(addr, sizeof(addr), config.hostip, config.hostport);
+        prompt = sdscatlen(prompt,addr,strlen(addr));
+    }
    /* Add [dbnum] if needed */
    if (config.dbnum != 0)
-        len += snprintf(config.prompt+len,sizeof(config.prompt)-len,"[%d]",
+        prompt = sdscatfmt(prompt,"[%i]",config.dbnum);
-            config.dbnum);
-    snprintf(config.prompt+len,sizeof(config.prompt)-len,"> ");
+    /* Copy the prompt in the static buffer. */
+    prompt = sdscatlen(prompt,"> ",2);
+    snprintf(config.prompt,sizeof(config.prompt),"%s",prompt);
+    sdsfree(prompt);
 }
 /* Return the name of the dotfile for the specified 'dotfilename'.