Reset GC state before closing the lua VM to prevent user data to be
wrongly freed while still might be used on destructor callbacks.
Created and publish by Redis in their OSS branch.
Pulled from Valkey for Redict.
Signed-off-by: Madelyn Olson <madelyneolson@gmail.com>
Signed-off-by: Drew DeVault <sir@cmpwn.com>
Co-authored-by: YaacovHazan <yaacov.hazan@redis.com>
The explanation on the original commit was wrong. Key based access must
have a `~` in order to correctly configure whey key prefixes to apply
the selector to. If this is missing, a server assert will be triggered
later.
Cherry-picked and squashed from relevant Valkey changes.
Signed-off-by: Madelyn Olson <madelyneolson@gmail.com>
Signed-off-by: Drew DeVault <sir@cmpwn.com>
Co-authored-by: YaacovHazan <yaacov.hazan@redis.com>
Fix for CVE-2024-31228
This patch was provided to us by Valkey, who received it from Redis Ltd.
> Authenticated users can trigger a denial-of-service by using specially
> crafted, long string match patterns on supported commands such as
> KEYS, SCAN, PSUBSCRIBE, FUNCTION LIST, COMMAND LIST and ACL
> definitions. Matching of extremely long patterns may result in
> unbounded recursion, leading to stack overflow and process crash.
Fixes https://codeberg.org/redict/redict/issues/56
Signed-off-by: Drew DeVault <sir@cmpwn.com>
Fix for CVE-2024-31227
This patch was provided to us by Valkey, who received it from Redis Ltd.
> An authenticated user with sufficient privileges may create a
> malformed ACL selector which, when accessed, triggers a server panic
> and subsequent denial of service.
Fixes: https://codeberg.org/redict/redict/issues/54
Signed-off-by: Drew DeVault <sir@cmpwn.com>
this allows for redict to use the same include paths for both system and
vendored hiredict, allowing use of system hiredict without patches.
Signed-off-by: Anna (navi) Figueiredo Gomes <navi@vlhl.dev>
This time, this shouldn't cause CI tests to fail.
Co-authored-by: Chris Lamb <lamby@debian.org>
Signed-off-by: Maytham Alsudany <maytha8thedev@gmail.com>
Now that most of the docs have been migrated over, we can update the references
in the codebase to point to redict.io.
Signed-off-by: Drew DeVault <sir@cmpwn.com>
This is a fairly naive change, but it seems to be correct. Will review
more carefully later, as well as adding a shim for source-level Redis
Modules compatibility.
Signed-off-by: Drew DeVault <sir@cmpwn.com>
In ASAN CI, we find server may crash because of NULL ptr in `kvstoreIncrementallyRehash`.
the reason is that we use two phase unlink in `dbGenericDelete`. After `kvstoreDictTwoPhaseUnlinkFind`,
the dict may be in rehashing and only have one element in ht[0] of `db->keys`.
When we delete the last element in `db->keys` meanwhile `db->keys` is in rehashing, we may free the
dict in `kvstoreDictTwoPhaseUnlinkFree` without deleting the node in `kvs->rehashing`. Then we may
use this freed ptr in `kvstoreIncrementallyRehash` in the `serverCron` and cause the crash.
This is indeed a use-after-free problem.
The fix is to call rehashingCompleted in dictRelease and dictEmpty, so that every call for
rehashingStarted is always matched with a rehashingCompleted.
Adding a test in the unit test to catch it consistently
---------
Co-authored-by: Oran Agra <oran@redislabs.com>
Co-authored-by: debing.sun <debing.sun@redis.com>
In `beginResultEmission`, -1 means the result length is not known in
advance. But after #12185, if we pass -1 to `zrangeResultBeginStore`, it
will convert to SIZE_MAX in `zsetTypeCreate` and try to `dictExpand`.
Although `dictExpand` won't succeed because the size overflows, I think
we'd better to avoid this wrong conversion.
This bug can be triggered when the source of `zrangestore` doesn't exist
or we use `zrangestore` command with `byscore` or `bylex`.
The impact is that dst keys will be converted to use skiplist instead of
listpack.
Users who abuse lua error_reply will generate a new error object on each
error call, which can make server.errors get bigger and bigger. This
will
cause the server to block when calling INFO (we also return errorstats
by
default).
To prevent the damage it can cause, when a misuse is detected, we will
print a warning log and disable the errorstats to avoid adding more new
errors. It can be re-enabled via CONFIG RESETSTAT.
Because server.errors may be very large (it may be better now since we
have the limit), config resetstat may block for a while. So in
resetErrorTableStats, we will try to lazyfree server.errors.
See the related discussion at the end of #8217.
