Prevent unbounded recursive pattern matching

Fix for CVE-2024-31228 This patch was provided to us by Valkey, who received it from Redis Ltd. > Authenticated users can trigger a denial-of-service by using specially > crafted, long string match patterns on supported commands such as > KEYS, SCAN, PSUBSCRIBE, FUNCTION LIST, COMMAND LIST and ACL > definitions. Matching of extremely long patterns may result in > unbounded recursion, leading to stack overflow and process crash. Fixes https://codeberg.org/redict/redict/issues/56 Signed-off-by: Drew DeVault <sir@cmpwn.com>
2025-01-21 23:58:51 -05:00 · 2024-09-16 09:08:35 +02:00 · 2024-09-16 09:08:35 +02:00 · a8edd3f6ac
commit a8edd3f6ac
parent c09bc5df79
2 changed files with 12 additions and 3 deletions
--- a/src/util.c
+++ b/src/util.c
@ -33,8 +33,11 @@

 /* Glob-style pattern matching. */
 static int stringmatchlen_impl(const char *pattern, int patternLen,
-        const char *string, int stringLen, int nocase, int *skipLongerMatches)
+        const char *string, int stringLen, int nocase, int *skipLongerMatches, int nesting)
 {
+    /* Protection against abusive patterns. */
+    if (nesting > 1000) return 0;
+
    while(patternLen && stringLen) {
        switch(pattern[0]) {
        case '*':
@ -46,7 +49,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
                return 1; /* match */
            while(stringLen) {
                if (stringmatchlen_impl(pattern+1, patternLen-1,
-                            string, stringLen, nocase, skipLongerMatches))
+                            string, stringLen, nocase, skipLongerMatches, nesting+1))
                    return 1; /* match */
                if (*skipLongerMatches)
                    return 0; /* no match */
@ -168,7 +171,7 @@ static int stringmatchlen_impl(const char *pattern, int patternLen,
 int stringmatchlen(const char *pattern, int patternLen,
        const char *string, int stringLen, int nocase) {
    int skipLongerMatches = 0;
-    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches);
+    return stringmatchlen_impl(pattern,patternLen,string,stringLen,nocase,&skipLongerMatches,0);
 }

 int stringmatch(const char *pattern, const char *string, int nocase) {
--- a/tests/unit/keyspace.tcl
+++ b/tests/unit/keyspace.tcl
@ -514,6 +514,12 @@ foreach {type large} [array get largevalue] {
        r KEYS "a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*a*b"
    } {}

+    test {Regression for pattern matching very long nested loops} {
+        r flushdb
+        r SET [string repeat "a" 50000] 1
+        r KEYS [string repeat "*?" 50000]
+    } {}
+
    test {Coverage: basic SWAPDB test and unhappy path} {
       r flushall
       r select 0