git:5.1:dab49483: ndb_redis: detect argument specifiers for redis_cmd() with three params
4 Dec
2017
4 Dec
'17
11:32 a.m.
Module: kamailio
Branch: 5.1
Commit: dab49483e419dd810c7b5133bf64063df0ad6696
URL: https://github.com/kamailio/kamailio/commit/dab49483e419dd810c7b5133bf64063…
Author: Daniel-Constantin Mierla <miconda(a)gmail.com>
Committer: Daniel-Constantin Mierla <miconda(a)gmail.com>
Date: 2017-12-04T09:26:00+01:00
ndb_redis: detect argument specifiers for redis_cmd() with three params
- check if %s or %d is part of the command, because it makes the redis
api expect more params to the commands and can crash if none is found
- reported by GH #1342
(cherry picked from commit 75bbbe4059cb6fde4c74fa9157f400a24e6f7496)
---
Modified: src/modules/ndb_redis/ndb_redis_mod.c
---
Diff:
https://github.com/kamailio/kamailio/commit/dab49483e419dd810c7b5133bf64063…
Patch:
https://github.com/kamailio/kamailio/commit/dab49483e419dd810c7b5133bf64063…
---
diff --git a/src/modules/ndb_redis/ndb_redis_mod.c
b/src/modules/ndb_redis/ndb_redis_mod.c
index 64f2b46897..e984a902bd 100644
--- a/src/modules/ndb_redis/ndb_redis_mod.c
+++ b/src/modules/ndb_redis/ndb_redis_mod.c
@@ -177,6 +177,7 @@ static int w_redis_cmd3(struct sip_msg* msg, char* ssrv, char* scmd,
char* sres)
{
str s[3];
+ int i;
if(fixup_get_svalue(msg, (gparam_t*)ssrv, &s[0])!=0)
{
@@ -188,6 +189,14 @@ static int w_redis_cmd3(struct sip_msg* msg, char* ssrv, char* scmd,
LM_ERR("no redis command\n");
return -1;
}
+ for(i=0; i<s[1].len-1; i++) {
+ if(s[1].s[i]=='%') {
+ if(s[1].s[i+1]=='s' || s[1].s[i+1]=='b') {
+ LM_ERR("command argument specifier found, but no params\n");
+ return -1;
+ }
+ }
+ }
if(fixup_get_svalue(msg, (gparam_t*)sres, &s[2])!=0)
{
LM_ERR("no redis reply name\n");
@@ -928,6 +937,19 @@ int bind_ndb_redis(ndb_redis_api_t *api)
*/
static int ki_redis_cmd(sip_msg_t *msg, str *srv, str *rcmd, str *sres)
{
+ int i;
+ if(rcmd==NULL || rcmd->s==NULL) {
+ LM_ERR("invalid command\n");
+ return -1;
+ }
+ for(i=0; i<rcmd->len-1; i++) {
+ if(rcmd->s[i]=='%') {
+ if(rcmd->s[i+1]=='s' || rcmd->s[i+1]=='b') {
+ LM_ERR("command argument specifier found, but no params\n");
+ return -1;
+ }
+ }
+ }
return redisc_exec(srv, sres, rcmd);
}
@@ -1007,4 +1029,4 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
{
sr_kemi_modules_add(sr_kemi_ndb_redis_exports);
return 0;
-}
\ No newline at end of file
+}
2552
days inactive
2552
days old
0 comments
1 participants
participants (1)
-
Daniel-Constantin Mierla