[CRASH] crash in hrandfield #633
Description
Reproduce
hmset myhash a 1
hrandfield myhash -9223372036854775808
Backtrace
# === ASSERTION FAILED ===
# ==> networking.cpp:917 'length >= 0' is not true
------ STACK TRACE ------
Backtrace:
keydb-server *:6379(addReplyAggregateLen(client*, long, int)+0x30) [0x5555556b6e60]
keydb-server *:6379(hrandfieldWithCountCommand(client*, long, int)+0xfb) [0x555555757d9b]
keydb-server *:6379(hrandfieldCommand(client*)+0xd9) [0x5555557584d9]
keydb-server *:6379(call(client*, int)+0xb1) [0x555555767ae1]
keydb-server *:6379(processCommand(client*, int)+0x954) [0x555555768c64]
keydb-server *:6379(processCommandAndResetClient(client*, int)+0x66) [0x5555556afef6]
keydb-server *:6379(processInputBuffer(client*, bool, int)+0x174) [0x5555556b6084]
keydb-server *:6379(processClients()+0xd9) [0x5555556b6219]
keydb-server *:6379(+0x19ab62) [0x5555556eeb62]
keydb-server *:6379(beforeSleep(aeEventLoop*)+0x160) [0x55555569b330]
keydb-server *:6379(aeProcessEvents+0x10b) [0x555555695b0b]
keydb-server *:6379(aeMain+0x47) [0x55555569c4e7]
keydb-server *:6379(workerThreadMain(void*)+0x73) [0x55555576a5b3]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x76db) [0x7ffff5c4b6db]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x3f) [0x7ffff597461f]
Aditional information
- The crash can be reproduced on the keydb 6.3.2 docker image.
- The root cause of this crash should be similar to the zrand crash and srand crash.
- A similar crash was also found in redis and has already been patched. The related PR commit can be found at Integer Overflow in RAND commands can lead to assertion (CVE-2023-25155) redis/redis#11857, which might help with implementing the fix for keydb.
Thanks.