From 63dae5232415d216dfc1acce8b5335e20aa3b178 Mon Sep 17 00:00:00 2001
From: namtsui <384455+namtsui@users.noreply.github.com>
Date: Tue, 28 Jul 2020 22:25:56 -0700
Subject: [PATCH] Avoid an out-of-bounds read in the redis-sentinel (#7443)

The Redis sentinel would crash with a segfault after a few minutes
because it tried to read from a page without read permissions. Check up
front whether the sds is long enough to contain redis:slave or
redis:master before memcmp() as is done everywhere else in
sentinelRefreshInstanceInfo().

Bug report and commit message from Theo Buehler. Fix from Nam Nguyen.

Co-authored-by: Nam Nguyen <namn@berkeley.edu>
---
 src/sentinel.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/sentinel.c b/src/sentinel.c
index 5be4193dc..5bd594955 100644
--- a/src/sentinel.c
+++ b/src/sentinel.c
@@ -2218,8 +2218,8 @@ void sentinelRefreshInstanceInfo(sentinelRedisInstance *ri, const char *info) {
         }
 
         /* role:<role> */
-        if (!memcmp(l,"role:master",11)) role = SRI_MASTER;
-        else if (!memcmp(l,"role:slave",10)) role = SRI_SLAVE;
+        if (sdslen(l) >= 11 && !memcmp(l,"role:master",11)) role = SRI_MASTER;
+        else if (sdslen(l) >= 10 && !memcmp(l,"role:slave",10)) role = SRI_SLAVE;
 
         if (role == SRI_SLAVE) {
             /* master_host:<host> */