Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Null pointer dereferencing in dict.c and async.c #747

Closed
shouc opened this issue Jan 9, 2020 · 6 comments
Closed

Null pointer dereferencing in dict.c and async.c #747

shouc opened this issue Jan 9, 2020 · 6 comments

Comments

@shouc
Copy link

shouc commented Jan 9, 2020
edited
Loading

The following code never aborts when malloc is unsuccessful, causing dereferencing of null pointers.

async.c:61

redisCallback *dup = malloc(sizeof(*dup));
memcpy(dup,src,sizeof(*dup)); // dup may be null
return dup;

dict.c:75

dict *ht = malloc(sizeof(*ht));
_dictInit(ht,type,privDataPtr); // ht may be null

dict.c:146

entry = malloc(sizeof(*entry));
entry->next = ht->table[index]; // entry may be null

dict.c:261

dictIterator *iter = malloc(sizeof(*iter));
iter->ht = ht; // iter may be null
@shouc shouc changed the title Several potential null pointer dereferencing Several null pointer dereferencing in dict.c and async.c Jan 9, 2020
@shouc shouc changed the title Several null pointer dereferencing in dict.c and async.c Null pointer dereferencing in dict.c and async.c Jan 9, 2020
@lamby
Copy link
Contributor

lamby commented Jan 19, 2020

This has been given the CVE ID CVE-2020-7105.

lamby added a commit to lamby/hiredis that referenced this issue Jan 19, 2020
@lamby
Abort if malloc() was unsuccessful. (Closes: redis#747)
78cec25
@lamby lamby mentioned this issue Jan 19, 2020
Closed
@michael-grunder
Copy link
Collaborator

We have an open PR that has this specific change in it along with a few other NULL pointer deref fixes although it does not immediately abort on failure to reallocate.

Just adding it here for reference.

@shouc
Copy link
Author

shouc commented Jan 19, 2020
edited
Loading

fixed in #752 & #638, more is specified in #751

@shouc shouc closed this as completed Jan 19, 2020
@lamby
Copy link
Contributor

lamby commented Jan 19, 2020

Shall we close #752 as well then? I'm a little lost, especially as #638 has a bunch of other changes that will be very difficult to backport to older, released, versions of hiredis.

lamby added a commit to lamby/hiredis that referenced this issue Jan 19, 2020
@lamby
Abort if malloc() was unsuccessful. (Closes: redis#747, redis#751)
dcc7cea
@michael-grunder
Copy link
Collaborator

Apologies, I wasn't trying to confuse the situation. I just wanted to mention that #638 contains the same change (in addition to many more changes).

Merging #752 now and then #638 later seems reasonable to me.

@shouc
Copy link
Author

shouc commented Jan 20, 2020

#752 contains more fixes on nullptr dereferencing so I also think merging these two is reasonable

michael-grunder added a commit to michael-grunder/hiredis that referenced this issue Jan 20, 2020
@michael-grunder
Safe allocation wrappers where we don't handle OOM
dfdc85a 
See hiredis issues redis#747, redis#752
lamby added a commit to lamby/hiredis that referenced this issue Jan 22, 2020
@lamby
Abort if malloc() was unsuccessful. (Closes: redis#747, redis#751)
3e2ddf9
michael-grunder added a commit that referenced this issue Jan 23, 2020
@michael-grunder
Rename allocation wrappers and add license info
70e73a3 
See #752, #747
michael-grunder added a commit that referenced this issue Jan 28, 2020
@michael-grunder
Safe allocation wrappers (#754)
669ac9d 
Create allocation wrappers with a configurable OOM handler (defaults to abort()).

See #752, #747
michael-grunder added a commit that referenced this issue Mar 13, 2020
@michael-grunder
Safe allocation wrappers (#754)
a153788 
Create allocation wrappers with a configurable OOM handler (defaults to abort()).

See #752, #747
valentinogeron pushed a commit to valentinogeron/hiredis that referenced this issue Mar 17, 2020
@michael-grunder @valentinogeron
Safe allocation wrappers (redis#754)
5a3a817 
Create allocation wrappers with a configurable OOM handler (defaults to abort()).

See redis#752, redis#747

Conflicts:
	Makefile
	adapters/libevent.h
@bjosv bjosv mentioned this issue Dec 7, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lamby @michael-grunder @shouc