aboutsummaryrefslogtreecommitdiffstats
path: root/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch')
-rw-r--r--meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch35
1 files changed, 35 insertions, 0 deletions
diff --git a/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
new file mode 100644
index 000000000..a5e5a1ba5
--- /dev/null
+++ b/meta-oe/recipes-extended/redis/redis/fix-CVE-2021-29477.patch
@@ -0,0 +1,35 @@
+From f0c5f920d0f88bd8aa376a2c05af4902789d1ef9 Mon Sep 17 00:00:00 2001
+From: Oran Agra <oran@redislabs.com>
+Date: Mon, 3 May 2021 08:32:31 +0300
+Subject: [PATCH] Fix integer overflow in STRALGO LCS (CVE-2021-29477)
+
+An integer overflow bug in Redis version 6.0 or newer could be exploited using
+the STRALGO LCS command to corrupt the heap and potentially result with remote
+code execution.
+
+CVE: CVE-2021-29477
+Upstream-Status: Backport
+[https://github.com/redis/redis/commit/f0c5f920d0f88bd8aa376a2c05af4902789d1ef9]
+
+Signed-off-by: Tony Tascioglu <tony.tascioglu@windriver.com>
+
+---
+ src/t_string.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/t_string.c b/src/t_string.c
+index 9228c5ed0..db6f7042e 100644
+--- a/src/t_string.c
++++ b/src/t_string.c
+@@ -805,7 +805,7 @@ void stralgoLCS(client *c) {
+ /* Setup an uint32_t array to store at LCS[i,j] the length of the
+ * LCS A0..i-1, B0..j-1. Note that we have a linear array here, so
+ * we index it as LCS[j+(blen+1)*j] */
+- uint32_t *lcs = zmalloc((alen+1)*(blen+1)*sizeof(uint32_t));
++ uint32_t *lcs = zmalloc((size_t)(alen+1)*(blen+1)*sizeof(uint32_t));
+ #define LCS(A,B) lcs[(B)+((A)*(blen+1))]
+
+ /* Start building the LCS table. */
+--
+2.32.0
+