59 Commits

Author SHA1 Message Date
antirez
0dbfb1d154 Fix ziplist fix... 2017-02-01 17:01:31 +01:00
antirez
c495d095ae Ziplist: insertion bug under particular conditions fixed.
Ziplists had a bug that was discovered while investigating a different
issue, resulting in a corrupted ziplist representation, and a likely
segmentation foult and/or data corruption of the last element of the
ziplist, once the ziplist is accessed again.

The bug happens when a specific set of insertions / deletions is
performed so that an entry is encoded to have a "prevlen" field (the
length of the previous entry) of 5 bytes but with a count that could be
encoded in a "prevlen" field of a since byte. This could happen when the
"cascading update" process called by ziplistInsert()/ziplistDelete() in
certain contitious forces the prevlen to be bigger than necessary in
order to avoid too much data moving around.

Once such an entry is generated, inserting a very small entry
immediately before it will result in a resizing of the ziplist for a
count smaller than the current ziplist length (which is a violation,
inserting code expects the ziplist to get bigger actually). So an FF
byte is inserted in a misplaced position. Moreover a realloc() is
performed with a count smaller than the ziplist current length so the
final bytes could be trashed as well.

SECURITY IMPLICATIONS:

Currently it looks like an attacker can only crash a Redis server by
providing specifically choosen commands. However a FF byte is written
and there are other memory operations that depend on a wrong count, so
even if it is not immediately apparent how to mount an attack in order
to execute code remotely, it is not impossible at all that this could be
done. Attacks always get better... and we did not spent enough time in
order to think how to exploit this issue, but security researchers
or malicious attackers could.
2017-02-01 15:01:59 +01:00
antirez
3a7410a8a6 ziplist: better comments, some refactoring. 2017-01-30 10:12:47 +01:00
antirez
2cd1ae736f Ziplist: remove static from functions, they prevent good crash reports. 2017-01-13 11:55:13 +01:00
Justin Carvalho
7c64e88963 Fix missing brackets around encoding variable in ZIP_DECODE_LENGTH macro 2016-12-19 17:37:41 -05:00
antirez
d634c36253 ziplist.c explanation of format improved a bit. 2016-12-16 09:04:57 +01:00
antirez
ac61f90625 DEBUG: new "ziplist" subcommand added. Dumps a ziplist on stdout.
The commit improves ziplistRepr() and adds a new debugging subcommand so
that we can trigger the dump directly from the Redis API.
This command capability was used while investigating issue #3684.
2016-12-16 09:02:50 +01:00
Matt Stancliff
0f15eb183b Free ziplist test lists during tests
Freeing our test lists helps keep valgrind output clean
2015-01-02 11:16:08 -05:00
Matt Stancliff
9d2dc0249c Add ziplistMerge()
This started out as #2158 by sunheehnus, but I kept rewriting it
until I could understand things more easily and get a few more
correctness guarantees out of the readability flow.

The original commit created and returned a new ziplist with the contents of
both input ziplists, but I prefer to grow one of the input ziplists
and destroy the other one.

So, instead of malloc+copy as in #2158, the merge now reallocs one of
the existing ziplists and copies the other ziplist into the new space.

Also added merge test cases to ziplistTest()
2015-01-02 11:16:08 -05:00
Matt Stancliff
9b786b124d Cleanup ziplist valgrind warnings
Valgrind can't detect 'memset' initializes things, so let's
statically initialize them to remove some unnecessary warnings.
2014-12-23 09:31:04 -05:00
Matt Stancliff
1dfcd75ae3 Fix ziplist test for pop()
The previous test wasn't returning the new ziplist, so the test
was invalid.  Now the test works properly.

These problems were simultaenously discovered in #2154 and that
PR also had an additional fix we included here.
2014-12-23 09:31:03 -05:00
Matt Stancliff
53b1ee34dd Fix ziplistDeleteRange index parameter
It's valid to delete from negative offsets, so we *don't*
want unsigned arguments here.
2014-12-23 09:31:03 -05:00
Matt Stancliff
fae53dea33 Fix how zipEntry returns values
zipEntry was returning a struct, but that caused some
problems with tests under 32 bit builds.

The tests run better if we operate on structs allocated in the
caller without worrying about copying on return.
2014-12-23 09:31:03 -05:00
Matt Stancliff
8febcffdc5 Allow all code tests to run using Redis args
Previously, many files had individual main() functions for testing,
but each required being compiled with their own testing flags.
That gets difficult when you have 8 different flags you need
to set just to run all tests (plus, some test files required
other files to be compiled aaginst them, and it seems some didn't
build at all without including the rest of Redis).

Now all individual test main() funcions are renamed to a test
function for the file itself and one global REDIS_TEST define enables
testing across the entire codebase.

Tests can now be run with:
  - `./redis-server test <test>`

  e.g. ./redis-server test ziplist

If REDIS_TEST is not defined, then no tests get included and no
tests are included in the final redis-server binary.
2014-12-23 09:31:03 -05:00
Matt Stancliff
8380655e85 Remove ziplist compiler warnings
Only happen when compiled with the test define.
2014-12-23 09:31:03 -05:00
Xiaojie Zhang
9aba616866 Fix comment inconsistencies in ziplist.c
Closes #1523
2014-09-29 06:49:08 -04:00
Matt Stancliff
12d0195b30 Clean up text throughout project
- Remove trailing newlines from redis.conf
  - Fix comment misspelling
  - Clarifies zipEncodeLength usage and a C API mention (#1243, #1242)
  - Fix cluster typos (inspired by @papanikge #1507)
  - Fix rewite -> rewrite in a few places (inspired by #682)

Closes #1243, #1242, #1507
2014-09-29 06:49:07 -04:00
Xiaojie Zhang
4bb6844e43 Avoid unnecessary decoding in ziplist.c
Closes #1519
2014-08-08 11:04:54 +02:00
antirez
1c75408457 assert.h replaced with redisassert.h when appropriate.
Also a warning was suppressed by including unistd.h in redisassert.h
(needed for _exit()).
2013-08-19 15:01:21 +02:00
Salvatore Sanfilippo
7d626d4975 Merge pull request #776 from charsyam/ziplist-bug
fix randstring bug in ziplist.c
2013-07-02 03:18:18 -07:00
Pierre Chapuis
50d43a9823 fix comments forgotten in #285 (zipmap -> ziplist) 2013-01-28 11:07:17 +01:00
charsyam
52b52a3508 fix randstring bug 2012-11-20 02:50:31 +08:00
antirez
4365e5b2d3 BSD license added to every C source and header file. 2012-11-08 18:31:32 +01:00
Pieter Noordhuis
3cc2904e3e Set p to its new offset before modifying it 2012-08-13 14:13:09 -07:00
Pieter Noordhuis
5117c20ab5 Add ziplist test for deleting next to last entries 2012-08-13 14:09:40 -07:00
antirez
b62bdf1c64 Don't assume that "char" is signed.
For the C standard char can be either signed or unsigned, it's up to the
compiler, but Redis assumed that it was signed in a few places.

The practical effect of this patch is that now Redis 2.6 will run
correctly in every system where char is unsigned, notably the RaspBerry
PI and other ARM systems with GCC.

Thanks to Georgi Marinov (@eesn on twitter) that reported the problem
and allowed me to use his RaspBerry via SSH to trace and fix the issue!
2012-07-18 12:04:58 +02:00
antirez
ba779119b8 ziplistFind(): don't assume that entries are comparable by encoding.
Because Redis 2.6 introduced new integer encodings it is no longer true
that if two entries have a different encoding they are not equal.

An old ziplist can be loaded from an RDB file generated with Redis 2.4,
in this case for instance a small unsigned integers is encoded with a
16 bit encoding, while in Redis 2.6 a more specific 8 bit encoding
format is used.

Because of this bug hashes ended with duplicated values or fields lookup
failed, causing many bad behaviors.
This in turn caused a crash while converting the ziplist encoded hash into
a real hash table because an assertion was raised on duplicated elements.

This commit fixes issue #547.

Many thanks to Pinterest's Marty Weiner and colleagues for discovering
the problem and helping us in the debugging process.
2012-06-14 16:01:27 +02:00
Pieter Noordhuis
bf21941686 Compare integers in ziplist regardless of encoding
Because of the introduction of new integer encoding types for ziplists
in the 2.6 tree, the same integer value may have a different encoding in
different versions of the ziplist implementation. This means that the
encoding can NOT be used as a fast path in comparing integers.
2012-05-06 10:06:21 +02:00
antirez
7dbc514de7 Spurious debugging printf removed. 2012-04-24 17:15:21 +02:00
antirez
a76b9063d0 Added two new encodings to ziplist.c
1) One integer "immediate" encoding that can encode from 0 to 12 in the
encoding byte itself.
2) One 8 bit signed integer encoding that can encode 8 bit signed small
integers in a single byte.

The idea is to exploit all the not used bits we have around in a
backward compatible way.
2012-04-24 17:04:00 +02:00
antirez
f22cff43a6 ziplist.c: added comments about the new 24 bit encoding. 2012-04-24 12:52:36 +02:00
Grisha Trubetskoy
5a86ab4799 Add a 24bit integer to ziplists to save one byte for ints that can
fit in 24 bits (thanks to antirez for catching and solving the two's compliment
bug).

Increment REDIS_RDB_VERSION to 6
2012-04-24 12:02:19 +02:00
antirez
bd376d13f8 Big endian fix. The bug was introduced because of a typo. 2012-03-23 12:42:20 +01:00
antirez
8562798308 Merge conflicts resolved. 2012-03-09 22:07:45 +01:00
antirez
7a3e372025 endian.c/h -> endianconv.c/h to avoid issues with broken libraries search paths. 2012-02-14 16:11:46 +01:00
antirez
66d1b021ec ziplist.c endianess fixes, chapter 5. 2012-02-09 17:09:01 +01:00
antirez
cab1105c6e ziplist.c endianess fixes, chapter 4. 2012-02-09 16:36:25 +01:00
antirez
3fa19b7dfc ziplist.c endianess fixes, chapter 3. 2012-02-09 16:28:35 +01:00
antirez
8e0ef249a2 more ziplist.c endianess fixes 2012-02-08 23:20:39 +01:00
antirez
5653847714 ziplist.c fixes for bigendian 2012-02-08 22:59:35 +01:00
Pieter Noordhuis
fe45840201 Implements ziplistFind
To improve the performance of the ziplist implementation, some
functions have been converted to macros to avoid unnecessary stack
movement and duplicate variable assignments.
2012-01-03 16:13:42 -08:00
antirez
f013f40003 Fixed a few warnings compiling on Linux. 2011-10-23 10:57:01 +02:00
Pieter Noordhuis
edf23aff0e Use string2ll in ziplist code (faster) 2011-05-05 16:26:51 +02:00
Pieter Noordhuis
b7d3bf5157 Fix ziplist regression and update stresser 2011-05-05 15:16:51 +02:00
Pieter Noordhuis
7d8c555e92 Merge branch 'unstable' into unstable-zset
Conflicts:
	src/object.c
2011-04-06 16:15:01 +02:00
Pieter Noordhuis
69298a05eb Offset should be size_t 2011-03-14 10:53:53 +01:00
antirez
f220437450 ziplist are now endianess agnostic 2011-03-09 18:49:59 +01:00
antirez
d4fb9f4144 encoded types API to get blob length 2011-02-28 14:48:49 +01:00
Pieter Noordhuis
8ce39260a4 Fix compiler warnings on Solaris 2010-12-23 11:26:11 +00:00
antirez
d51ebef509 LRANGE converted into a COW friendly command. Some refactoring, comment, and new addReply*() family function added in the process. 2010-12-07 16:33:13 +01:00