[sr-dev] git:5.1:dab49483: ndb_redis: detect argument specifiers for redis_cmd() with three params

Daniel-Constantin Mierla miconda at gmail.com
Mon Dec 4 09:32:56 CET 2017 

Module: kamailio
Branch: 5.1
Commit: dab49483e419dd810c7b5133bf64063df0ad6696
URL: https://github.com/kamailio/kamailio/commit/dab49483e419dd810c7b5133bf64063df0ad6696

Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2017-12-04T09:26:00+01:00

ndb_redis: detect argument specifiers for redis_cmd() with three params

- check if %s or %d is part of the command, because it makes the redis
api expect more params to the commands and can crash if none is found
- reported by GH #1342

(cherry picked from commit 75bbbe4059cb6fde4c74fa9157f400a24e6f7496)

---

Modified: src/modules/ndb_redis/ndb_redis_mod.c

---

Diff:  https://github.com/kamailio/kamailio/commit/dab49483e419dd810c7b5133bf64063df0ad6696.diff
Patch: https://github.com/kamailio/kamailio/commit/dab49483e419dd810c7b5133bf64063df0ad6696.patch

---

diff --git a/src/modules/ndb_redis/ndb_redis_mod.c b/src/modules/ndb_redis/ndb_redis_mod.c
index 64f2b46897..e984a902bd 100644
--- a/src/modules/ndb_redis/ndb_redis_mod.c
+++ b/src/modules/ndb_redis/ndb_redis_mod.c
@@ -177,6 +177,7 @@ static int w_redis_cmd3(struct sip_msg* msg, char* ssrv, char* scmd,
 		char* sres)
 {
 	str s[3];
+	int i;
 
 	if(fixup_get_svalue(msg, (gparam_t*)ssrv, &s[0])!=0)
 	{
@@ -188,6 +189,14 @@ static int w_redis_cmd3(struct sip_msg* msg, char* ssrv, char* scmd,
 		LM_ERR("no redis command\n");
 		return -1;
 	}
+	for(i=0; i<s[1].len-1; i++) {
+		if(s[1].s[i]=='%') {
+			if(s[1].s[i+1]=='s' || s[1].s[i+1]=='b') {
+				LM_ERR("command argument specifier found, but no params\n");
+				return -1;
+			}
+		}
+	}
 	if(fixup_get_svalue(msg, (gparam_t*)sres, &s[2])!=0)
 	{
 		LM_ERR("no redis reply name\n");
@@ -928,6 +937,19 @@ int bind_ndb_redis(ndb_redis_api_t *api)
  */
 static int ki_redis_cmd(sip_msg_t *msg, str *srv, str *rcmd, str *sres)
 {
+	int i;
+	if(rcmd==NULL || rcmd->s==NULL) {
+		LM_ERR("invalid command\n");
+		return -1;
+	}
+	for(i=0; i<rcmd->len-1; i++) {
+		if(rcmd->s[i]=='%') {
+			if(rcmd->s[i+1]=='s' || rcmd->s[i+1]=='b') {
+				LM_ERR("command argument specifier found, but no params\n");
+				return -1;
+			}
+		}
+	}
 	return redisc_exec(srv, sres, rcmd);
 }
 
@@ -1007,4 +1029,4 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
 {
 	sr_kemi_modules_add(sr_kemi_ndb_redis_exports);
 	return 0;
-}
\ No newline at end of file
+}

More information about the sr-dev mailing list