From d379bf595ca0ea3b849d0256ff36aedd83591522 Mon Sep 17 00:00:00 2001
From: yangyang <yang.yang@epro.com.cn>
Date: Tue, 31 May 2022 15:09:29 +0800
Subject: [PATCH] Fix CVE-2021-32672

---
 CVE-2021-32672.patch | 84 ++++++++++++++++++++++++++++++++++++++++++++
 redis6.spec          |  7 +++-
 2 files changed, 90 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-32672.patch

diff --git a/CVE-2021-32672.patch b/CVE-2021-32672.patch
new file mode 100644
index 0000000..232b1f0
--- /dev/null
+++ b/CVE-2021-32672.patch
@@ -0,0 +1,84 @@
+diff -Naru redis-6.0.11/src/scripting.c "redis-6.0.11 copy/src/scripting.c"
+--- redis-6.0.11/src/scripting.c	2021-02-23 07:35:37.000000000 +0800
++++ "redis-6.0.11 copy/src/scripting.c"	2022-05-26 15:32:51.868484000 +0800
+@@ -2026,7 +2026,8 @@
+ /* Expect a valid multi-bulk command in the debugging client query buffer.
+  * On success the command is parsed and returned as an array of SDS strings,
+  * otherwise NULL is returned and there is to read more buffer. */
+-sds *ldbReplParseCommand(int *argcp) {
++sds *ldbReplParseCommand(int *argcp, char** err) {
++    static char* protocol_error = "protocol error";
+     sds *argv = NULL;
+     int argc = 0;
+     if (sdslen(ldb.cbuf) == 0) return NULL;
+@@ -2043,7 +2044,7 @@
+     /* Seek and parse *<count>\r\n. */
+     p = strchr(p,'*'); if (!p) goto protoerr;
+     char *plen = p+1; /* Multi bulk len pointer. */
+-    p = strstr(p,"\r\n"); if (!p) goto protoerr;
++    p = strstr(p,"\r\n"); if (!p) goto keep_reading;
+     *p = '\0'; p += 2;
+     *argcp = atoi(plen);
+     if (*argcp <= 0 || *argcp > 1024) goto protoerr;
+@@ -2052,12 +2053,16 @@
+     argv = zmalloc(sizeof(sds)*(*argcp));
+     argc = 0;
+     while(argc < *argcp) {
++         // reached the end but there should be more data to read
++        if (*p == '\0') goto keep_reading;
++
+         if (*p != '$') goto protoerr;
+         plen = p+1; /* Bulk string len pointer. */
+-        p = strstr(p,"\r\n"); if (!p) goto protoerr;
++        p = strstr(p,"\r\n"); if (!p) goto keep_reading;
+         *p = '\0'; p += 2;
+         int slen = atoi(plen); /* Length of this arg. */
+         if (slen <= 0 || slen > 1024) goto protoerr;
++        if ((size_t)(p + slen + 2 - copy) > sdslen(copy) ) goto keep_reading;
+         argv[argc++] = sdsnewlen(p,slen);
+         p += slen; /* Skip the already parsed argument. */
+         if (p[0] != '\r' || p[1] != '\n') goto protoerr;
+@@ -2067,6 +2072,8 @@
+     return argv;
+ 
+ protoerr:
++    *err = protocol_error;
++keep_reading:
+     sdsfreesplitres(argv,argc);
+     sdsfree(copy);
+     return NULL;
+@@ -2555,12 +2562,16 @@
+ int ldbRepl(lua_State *lua) {
+     sds *argv;
+     int argc;
+-
++    char* err = NULL;
+     /* We continue processing commands until a command that should return
+      * to the Lua interpreter is found. */
+     while(1) {
+-        while((argv = ldbReplParseCommand(&argc)) == NULL) {
++        while((argv = ldbReplParseCommand(&argc, &err)) == NULL) {
+             char buf[1024];
++            if (err) {
++                lua_pushstring(lua, err);
++                lua_error(lua);
++            }
+             int nread = connRead(ldb.conn,buf,sizeof(buf));
+             if (nread <= 0) {
+                 /* Make sure the script runs without user input since the
+@@ -2570,6 +2581,15 @@
+                 return C_ERR;
+             }
+             ldb.cbuf = sdscatlen(ldb.cbuf,buf,nread);
++            /* after 1M we will exit with an error
++             * so that the client will not blow the memory
++             */
++            if (sdslen(ldb.cbuf) > 1<<20) {
++                sdsfree(ldb.cbuf);
++                ldb.cbuf = sdsempty();
++                lua_pushstring(lua, "max client buffer reached");
++                lua_error(lua);
++            }
+         }
+ 
+         /* Flush the old buffer. */
diff --git a/redis6.spec b/redis6.spec
index 4a8493f..06a2a51 100644
--- a/redis6.spec
+++ b/redis6.spec
@@ -6,7 +6,7 @@
 %global Pname redis
 Name:                redis6
 Version:             6.0.11
-Release:             6
+Release:             7
 Summary:             A persistent key-value database
 License:             BSD and MIT
 URL:                 https://redis.io
@@ -28,6 +28,7 @@ Patch0005:           CVE-2021-32675.patch
 Patch0006:           CVE-2021-41099.patch
 Patch0007:           CVE-2021-32762.patch
 Patch0008:           fix-help-info.patch
+Patch0009:           CVE-2021-32672.patch
 BuildRequires:       make gcc
 %if %{with tests}
 BuildRequires:       procps-ng tcl
@@ -92,6 +93,7 @@ tar -xvf  %{SOURCE10}
 %patch0005 -p1
 %patch0006 -p1
 %patch0007 -p1
+%patch0009 -p1
 %endif
 %patch0008 -p1
 mv ../%{Pname}-doc-%{doc_commit} doc
@@ -222,6 +224,9 @@ fi
 %{_docdir}/%{Pname}
 
 %changelog
+* Thu May 26 2022 yangyang <yangyang480@huawei.com> - 6.0.11-7
+- Fix CVE-2021-32672.patch
+
 * Mon Dec 06 2021 caodongxia <caodongxia@huawei.com> - 6.0.11-6
 - Fix help info 
 
-- 
Gitee