Impact
Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted RESP mult-bulk protocol data.
When parsing multi-bulk (array-like) replies, hiredis fails to check if count * sizeof(redisReply*) can be represented in SIZE_MAX. If it can not, and the calloc() call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow.
A more thorough explanation of the vulnerability
Patches
The problem has been patched in the private fork and will be released in v1.0.1
Workarounds
Users of hiredis >= 1.0.0 may set the maxelements context option to a value small enough that no overflow is possible.
A system-independent implementation of that calculation might look like so:
/* The extra division by 2 is because `MAP` and `HASH` replies send the number of
key/value pairs. */
context->maxelements = SIZE_MAX / sizeof(redisReply*) / 2;
This will require a recompilation of their code, however.
Also worth noting that the value defaults to 4,294,967,295, so users of >= v1.0.0 in 64-bit environments are likely unaffected by default.
Credit
This issue was discovered and reported by Microsoft Vulnerability Research.
For more information
If you have any questions or comments about this advisory:
Impact
Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted
RESPmult-bulkprotocol data.When parsing
multi-bulk(array-like) replies, hiredis fails to check ifcount * sizeof(redisReply*)can be represented inSIZE_MAX. If it can not, and thecalloc()call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow.A more thorough explanation of the vulnerability
Patches
The problem has been patched in the private fork and will be released in
v1.0.1Workarounds
Users of hiredis >=
1.0.0may set the maxelements context option to a value small enough that no overflow is possible.A system-independent implementation of that calculation might look like so:
This will require a recompilation of their code, however.
Also worth noting that the value defaults to
4,294,967,295, so users of>= v1.0.0in 64-bit environments are likely unaffected by default.Credit
This issue was discovered and reported by Microsoft Vulnerability Research.
For more information
If you have any questions or comments about this advisory: