Module: kamailio Branch: master Commit: d79540f7aba4f8c2bab1227bbe724609535b0d5d URL: https://github.com/kamailio/kamailio/commit/d79540f7aba4f8c2bab1227bbe724609535b0d5d
Author: Donat Zenichev <[email protected]> Committer: Daniel-Constantin Mierla <[email protected]> Date: 2026-01-06T12:44:27+01:00 db_redis: add string key length protection Introduce a list of improvements for size overflow protection: - change func signatures to work with `size_t` only - check the raw pointer and its length This measure will protect inserts from extremely large key size (e.g. possible negative length that then gets into integer overflow) and hence from triggering the stack canary. --- Modified: src/modules/db_redis/redis_dbase.c Modified: src/modules/db_redis/redis_table.c Modified: src/modules/db_redis/redis_table.h --- Diff: https://github.com/kamailio/kamailio/commit/d79540f7aba4f8c2bab1227bbe724609535b0d5d.diff Patch: https://github.com/kamailio/kamailio/commit/d79540f7aba4f8c2bab1227bbe724609535b0d5d.patch --- diff --git a/src/modules/db_redis/redis_dbase.c b/src/modules/db_redis/redis_dbase.c index 3e778c52660..090c1e17ef7 100644 --- a/src/modules/db_redis/redis_dbase.c +++ b/src/modules/db_redis/redis_dbase.c @@ -914,7 +914,7 @@ static int db_redis_scan_query_keys_pattern(km_redis_con_t *con, LM_ERR("Failed to print integer for scan query\n"); goto err; } - if(db_redis_key_add_string(&query_v, match_count_str, l) != 0) { + if(db_redis_key_add_string(&query_v, match_count_str, (size_t)l) != 0) { LM_ERR("Failed to add count value to scan query\n"); goto err; } diff --git a/src/modules/db_redis/redis_table.c b/src/modules/db_redis/redis_table.c index af3700df8f9..068484e0557 100644 --- a/src/modules/db_redis/redis_table.c +++ b/src/modules/db_redis/redis_table.c @@ -28,10 +28,14 @@ #include "redis_connection.h" #include "redis_table.h" -int db_redis_key_add_string(redis_key_t **list, const char *entry, int len) +int db_redis_key_add_string(redis_key_t **list, const char *entry, size_t len) { redis_key_t *k; + if (!entry || !len) { + LM_ERR("Empty entry or zero length\n"); + return -1; + } k = (redis_key_t *)pkg_malloc(sizeof(redis_key_t)); if(!k) { @@ -69,13 +73,20 @@ int db_redis_key_add_string(redis_key_t **list, const char *entry, int len) int db_redis_key_add_str(redis_key_t **list, const str *entry) { - return db_redis_key_add_string(list, entry->s, entry->len); + if (entry->len < 0) + return -1; + return db_redis_key_add_string(list, entry->s, (size_t)entry->len); } -int db_redis_key_prepend_string(redis_key_t **list, const char *entry, int len) +int db_redis_key_prepend_string(redis_key_t **list, const char *entry, size_t len) { redis_key_t *k; + if (!entry || !len) { + LM_ERR("Empty entry or zero length\n"); + return -1; + } + k = (redis_key_t *)pkg_malloc(sizeof(redis_key_t)); if(!k) { LM_ERR("Failed to allocate memory for key list entry\n"); diff --git a/src/modules/db_redis/redis_table.h b/src/modules/db_redis/redis_table.h index 6ba4e8c2da1..879b50c43a5 100644 --- a/src/modules/db_redis/redis_table.h +++ b/src/modules/db_redis/redis_table.h @@ -61,9 +61,9 @@ void db_redis_free_tables(km_redis_con_t *con); int db_redis_parse_schema(km_redis_con_t *con); int db_redis_parse_keys(km_redis_con_t *con); -int db_redis_key_add_string(redis_key_t **list, const char *entry, int len); +int db_redis_key_add_string(redis_key_t **list, const char *entry, size_t len); int db_redis_key_add_str(redis_key_t **list, const str *entry); -int db_redis_key_prepend_string(redis_key_t **list, const char *entry, int len); +int db_redis_key_prepend_string(redis_key_t **list, const char *entry, size_t len); int db_redis_key_list2arr(redis_key_t *list, char ***arr); redis_key_t *db_redis_key_shift(redis_key_t **list); void db_redis_key_free(redis_key_t **list); _______________________________________________ Kamailio - Development Mailing List -- [email protected] To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender!
