[sr-dev] git:master:75bbbe40: ndb_redis: detect argument specifiers for redis_cmd() with three params
Daniel-Constantin Mierla
miconda at gmail.com
Wed Nov 29 10:59:10 CET 2017
Module: kamailio
Branch: master
Commit: 75bbbe4059cb6fde4c74fa9157f400a24e6f7496
URL: https://github.com/kamailio/kamailio/commit/75bbbe4059cb6fde4c74fa9157f400a24e6f7496
Author: Daniel-Constantin Mierla <miconda at gmail.com>
Committer: Daniel-Constantin Mierla <miconda at gmail.com>
Date: 2017-11-29T10:58:53+01:00
ndb_redis: detect argument specifiers for redis_cmd() with three params
- check if %s or %d is part of the command, because it makes the redis
api expect more params to the commands and can crash if none is found
- reported by GH #1342
---
Modified: src/modules/ndb_redis/ndb_redis_mod.c
---
Diff: https://github.com/kamailio/kamailio/commit/75bbbe4059cb6fde4c74fa9157f400a24e6f7496.diff
Patch: https://github.com/kamailio/kamailio/commit/75bbbe4059cb6fde4c74fa9157f400a24e6f7496.patch
---
diff --git a/src/modules/ndb_redis/ndb_redis_mod.c b/src/modules/ndb_redis/ndb_redis_mod.c
index 64f2b46897..e984a902bd 100644
--- a/src/modules/ndb_redis/ndb_redis_mod.c
+++ b/src/modules/ndb_redis/ndb_redis_mod.c
@@ -177,6 +177,7 @@ static int w_redis_cmd3(struct sip_msg* msg, char* ssrv, char* scmd,
char* sres)
{
str s[3];
+ int i;
if(fixup_get_svalue(msg, (gparam_t*)ssrv, &s[0])!=0)
{
@@ -188,6 +189,14 @@ static int w_redis_cmd3(struct sip_msg* msg, char* ssrv, char* scmd,
LM_ERR("no redis command\n");
return -1;
}
+ for(i=0; i<s[1].len-1; i++) {
+ if(s[1].s[i]=='%') {
+ if(s[1].s[i+1]=='s' || s[1].s[i+1]=='b') {
+ LM_ERR("command argument specifier found, but no params\n");
+ return -1;
+ }
+ }
+ }
if(fixup_get_svalue(msg, (gparam_t*)sres, &s[2])!=0)
{
LM_ERR("no redis reply name\n");
@@ -928,6 +937,19 @@ int bind_ndb_redis(ndb_redis_api_t *api)
*/
static int ki_redis_cmd(sip_msg_t *msg, str *srv, str *rcmd, str *sres)
{
+ int i;
+ if(rcmd==NULL || rcmd->s==NULL) {
+ LM_ERR("invalid command\n");
+ return -1;
+ }
+ for(i=0; i<rcmd->len-1; i++) {
+ if(rcmd->s[i]=='%') {
+ if(rcmd->s[i+1]=='s' || rcmd->s[i+1]=='b') {
+ LM_ERR("command argument specifier found, but no params\n");
+ return -1;
+ }
+ }
+ }
return redisc_exec(srv, sres, rcmd);
}
@@ -1007,4 +1029,4 @@ int mod_register(char *path, int *dlflags, void *p1, void *p2)
{
sr_kemi_modules_add(sr_kemi_ndb_redis_exports);
return 0;
-}
\ No newline at end of file
+}
More information about the sr-dev
mailing list