Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check length before reading in stringmatchlen #1431

Merged
merged 1 commit into from
Dec 13, 2024
Merged

Check length before reading in stringmatchlen #1431

merged 1 commit into from
Dec 13, 2024

Conversation

thaliaarchi
Copy link
Contributor

@thaliaarchi thaliaarchi commented Dec 12, 2024
edited by zuiderkwast
Loading

Fixes four cases where stringmatchlen could overrun the pattern if it is not terminated with NUL.

These commits are cherry-picked from my fork which extracts stringmatch as a library and compares it to other projects by antirez which use the same matcher.

@thaliaarchi
Check length before reading in stringmatchlen
44940a5 
When a pattern is not NUL-terminated, stringmatchlen could overrun the
end in some cases.

Signed-off-by: Thalia Archibald <thalia@archibald.dev>
@thaliaarchi thaliaarchi mentioned this pull request Dec 12, 2024
Merged
zuiderkwast
zuiderkwast approved these changes Dec 13, 2024
View reviewed changes
Copy link
Contributor

@zuiderkwast zuiderkwast left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

This is not a security issue, right? We always call this with null-terminated strings, I believe.

It's still good to remove the assumption about null-terminated strings and never look beyond the last char of the strings.

@thaliaarchi
Copy link
Contributor Author

thaliaarchi commented Dec 13, 2024
edited
Loading

I count 20 calls in Valkey to stringmatch/stringmatchlen. I presume calls to stringmatch are safe, since callers know it expects a NUL-terminated string. Every call to stringmatchlen passes a pattern from an sds type using length sdslen(pattern). The sds API seems to guarantee that its strings are NUL-terminated. Thus, unless there's a bug in sds or callers break the stringmatch expectation, this bug is a non-issue. It's just defensive, not a security issue. However, I haven't traced the pattern initializations to be sure, because many are stored in more complex data structures.

@zuiderkwast zuiderkwast merged commit b60097b into valkey-io:unstable Dec 13, 2024
45 of 46 checks passed
@zuiderkwast
Copy link
Contributor

Thanks! I edited the top comment because we use it as the commit message when squash-merging.

@thaliaarchi
Copy link
Contributor Author

Thanks for the edit. I would have put the extra context in another comment if I knew it would be in the message. Oh well.

vudiep411 pushed a commit to Autxmaton/valkey that referenced this pull request Dec 15, 2024
@thaliaarchi @vudiep411
Check length before reading in stringmatchlen (valkey-io#1431)
ec6d475 
Fixes four cases where `stringmatchlen` could overrun the pattern if it
is not terminated with NUL.

These commits are cherry-picked from my
[fork](https://github.com/thaliaarchi/antirez-stringmatch) which
extracts `stringmatch` as a library and compares it to other projects by
antirez which use the same matcher.

Signed-off-by: Thalia Archibald <thalia@archibald.dev>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@enjoy-binbin enjoy-binbin enjoy-binbin approved these changes

@zuiderkwast zuiderkwast zuiderkwast approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@thaliaarchi @zuiderkwast @enjoy-binbin