Prevent clients from making too large multibulk requests

src/networking.c

@@ -724,6 +724,10 @@ int processMultibulkBuffer(redisClient *c) {
         if (c->multibulklen <= 0) {
             c->querybuf = sdsrange(c->querybuf,pos,-1);
             return REDIS_OK;
+        } else if (c->multibulklen > 1024*1024) {
+            addReplyError(c,"Protocol error: invalid multibulk length");
+            setProtocolError(c,pos);
+            return REDIS_ERR;
         }
 
         /* Setup argv array on client structure */

tests/unit/protocol.tcl

@@ -13,6 +13,13 @@ start_server {tags {"protocol"}} {
         assert_equal PONG [r ping]
     }
 
+    test "Out of range multibulk length" {
+        reconnect
+        r write "*20000000\r\n"
+        r flush
+        assert_error "*invalid multibulk length*" {r read}
+    }
+
     test "Wrong multibulk payload header" {
         reconnect
         r write "*3\r\n\$3\r\nSET\r\n\$1\r\nx\r\nfooz\r\n"