Commit Graph

6441 Commits

Author SHA1 Message Date
John Sully
39ccce033a Replicas aren't allowed to run the replicaof command 2019-03-10 09:52:19 +01:00
antirez
825843db9e Redis 4.0.13. 2019-02-20 17:26:31 +01:00
Salvatore Sanfilippo
77b4a0eb1a
Merge pull request #5822 from soloestoy/rewrite-brpoplpush-4.0
rewrite BRPOPLPUSH as RPOPLPUSH to propagate
2019-01-31 08:20:54 +01:00
zhaozhao.zz
60b2537fe1 rewrite BRPOPLPUSH as RPOPLPUSH to propagate 2019-01-31 11:53:36 +08:00
Chris Lamb
afc4b36c10 Don't treat unsupported protocols as fatal errors
If we encounter an unsupported protocol in the "bind" list, don't
ipso-facto consider it a fatal error. We continue to abort startup if
there are no listening sockets at all.

This ensures that the lack of IPv6 support does not prevent Redis from
starting on Debian where we try to bind to the ::1 interface by default
(via "bind 127.0.0.1 ::1"). A machine with IPv6 disabled (such as some
container systems) would simply fail to start Redis after the initiall
call to apt(8).

This is similar to the case for where "bind" is not specified:

  https://github.com/antirez/redis/issues/3894

... and was based on the corresponding PR:

  https://github.com/antirez/redis/pull/4108

... but also adds EADDRNOTAVAIL to the list of errors to catch which I
believe is missing from there.

This issue was raised in Debian as both <https://bugs.debian.org/900284>
& <https://bugs.debian.org/914354>.
2018-12-21 12:40:28 +01:00
antirez
cbcc76ac5b Redis 4.0.12 2018-12-11 18:09:17 +01:00
antirez
b6cd3b3c57 asyncCloseClientOnOutputBufferLimitReached(): don't free fake clients.
Fake clients are used in special situations and are not linked to the
normal clients list, freeing them will always result in Redis crashing
in one way or the other.

It's not common to send replies to fake clients, but we have one usage
in the modules API. When a client is blocked, we associate to the
blocked client object (that is safe to manipulate in a thread), a fake
client that accumulates replies. So because of this bug there was
the problem described in issue #5443.

The fix was verified to work with the provided example module. To write
a regression is very hard and unlikely to be triggered in the future.
2018-12-11 18:05:47 +01:00
Guy Benoish
e16402b0c8 Don't call sdscmp() with shared.maxstring or shared.minstring 2018-12-11 18:04:48 +01:00
antirez
49d9f4116b Fix stringmatchlen() read past buffer bug.
See #5632.
2018-12-11 18:02:30 +01:00
Salvatore Sanfilippo
97192e2d88
Merge pull request #5569 from maximebedard/backport-4497
Backport #4497 to redis 4
2018-11-22 11:12:36 +01:00
antirez
1908aba73d add linkClient(): adds the client and caches the list node.
We have this operation in two places: when caching the master and
when linking a new client after the client creation. By having an API
for this we avoid incurring in errors when modifying one of the two
places forgetting the other. The function is also a good place where to
document why we cache the linked list node.

Related to #4497 and #4210.
2018-11-13 19:57:04 -05:00
zhaozhao.zz
239b08574c networking: optimize unlinkClient() in freeClient() 2018-11-13 19:52:50 -05:00
antirez
54b17f985d When replica kills a pending RDB save during SYNC, log it.
This logs what happens in the context of the fix in PR #5367.
2018-10-31 11:49:54 +01:00
Andrey Bugaevskiy
b31c08db8d Move child termination to readSyncBulkPayload 2018-10-31 11:49:49 +01:00
Andrey Bugaevskiy
21971ac83c Prevent RDB autosave from overwriting full resync results
During the full database resync we may still have unsaved changes
on the receiving side. This causes a race condition between
synced data rename/load and the rename of rdbSave tempfile.
2018-10-31 11:49:37 +01:00
antirez
3a91fcbcf3 aof.c: improve indentation and change warning message.
Related to #5201.

I removed the !!! Warning part since compared to the other errors, a
missing EXEC is in theory a normal happening in the AOF file, at least
in theory: may happen in a differnet number of situations, and it's
probably better to don't give the user the feeling that something really
bad happened.
2018-10-10 11:14:23 +02:00
zhaozhao.zz
e6f287d59f AOF: discard if we lost EXEC when loading aof 2018-10-10 11:14:19 +02:00
antirez
e0d4c66aff Fix AOF comment to report the current behavior.
Realted to #5201.
2018-10-10 11:14:15 +02:00
antirez
c7613cf34e Really bump version number to 4.0.11. 2018-08-04 00:44:56 +02:00
antirez
f2e9d94e0f Redis 4.0.11. 2018-08-03 17:14:20 +02:00
antirez
677f7585e0 Set repl_down_since to zero on state change.
PR #5081 fixes an "interesting" bug about Redis Cluster failover but in
general about the updating of repl_down_since, that is used in order to
count the time a slave was left disconnected from its master.

While the fix provided resolves the specific issue, in general the
validity of repl_down_since is limited to states that are different
than the state CONNECTED, and the disconnected time is set when the
state is DISCONNECTED. However from CONNECTED to other states, the state
machine must always go to DISCONNECTED first. So it makes sense to set
the field to zero (since it is meaningless in that context) when the
state is set to CONNECTED.
2018-08-03 17:07:28 +02:00
WuYunlong
8c6223f91d fix server.repl_down_since resetting, so that slaves could failover
automatically as expected.
2018-08-03 17:07:23 +02:00
Oran Agra
9535c21515 fix rare replication stream corruption with disk-based replication
The slave sends \n keepalive messages to the master while parsing the rdb,
and later sends REPLCONF ACK once a second. rarely, the master recives both
a linefeed char and a REPLCONF in the same read, \n*3\r\n$8\r\nREPLCONF\r\n...
and it tries to trim two chars (\r\n) from the query buffer,
trimming the '*' from *3\r\n$8\r\nREPLCONF\r\n...

then the master tries to process a command starting with '3' and replies to
the slave a bunch of -ERR and one +OK.
although the slave silently ignores these (prints a log message), this corrupts
the replication offset at the slave since the slave increases the replication
offset, and the master did not.

other than the fix in processInlineBuffer, i did several other improvments
while hunting this very rare bug.

- when redis replies with "unknown command" it includes a portion of the
  arguments, not just the command name. so it would be easier to understand
  what was recived, in my case, on the slave side,  it was -ERR, but
  the "arguments" were the interesting part (containing info on the error).
- about a year ago i added code in addReplyErrorLength to print the error to
  the log in case of a reply to master (since this string isn't actually
  trasmitted to the master), now changed that block to print a similar log
  message to indicate an error being sent from the master to the slave.
  note that the slave is marked as CLIENT_SLAVE only after PSYNC was received,
  so this will not cause any harm for REPLCONF, and will only indicate problems
  that are gonna corrupt the replication stream anyway.
- two places were c->reply was emptied, and i wanted to reset sentlen
  this is a precaution (i did not actually see such a problem), since a
  non-zero sentlen will cause corruption to be transmitted on the socket.
2018-07-23 18:16:22 +02:00
zhaozhao.zz
5f1fcc599a fix exists command on slave 2018-06-29 13:29:41 +02:00
antirez
ab145a9f15 Fix infinite loop in dbRandomKey().
Thanks to @kevinmcgehee for signaling the issue and reasoning about the
consequences and potential fixes.

Issue #5015.
2018-06-29 13:29:33 +02:00
antirez
2fa43ece12 Sentinel: add an option to deny online script reconfiguration.
The ability of "SENTINEL SET" to change the reconfiguration script at
runtime is a problem even in the security model of Redis: any client
inside the network may set any executable to be ran once a failover is
triggered.

This option adds protection for this problem: by default the two
SENTINEL SET subcommands modifying scripts paths are denied. However the
user is still able to rever that using the Sentinel configuration file
in order to allow such a feature.
2018-06-29 13:27:49 +02:00
antirez
556b2d2bee Redis 4.0.10. 2018-06-13 13:02:07 +02:00
antirez
9fdcc15962 Security: fix redis-cli buffer overflow.
Thanks to Fakhri Zulkifli for reporting it.

The fix switched to dynamic allocation, copying the final prompt in the
static buffer only at the end.
2018-06-13 12:40:47 +02:00
antirez
cf7600714f Security: fix Lua struct package offset handling.
After the first fix to the struct package I found another similar
problem, which is fixed by this patch. It could be reproduced easily by
running the following script:

    return struct.unpack('f', "xxxxxxxxxxxxx",-3)

The above will access bytes before the 'data' pointer.
2018-06-13 12:40:46 +02:00
antirez
a57595cade Security: more cmsgpack fixes by @soloestoy.
@soloestoy sent me this additional fixes, after searching for similar
problems to the one reported in mp_pack(). I'm committing the changes
because it was not possible during to make a public PR to protect Redis
users and give Redis providers some time to patch their systems.
2018-06-13 12:40:46 +02:00
antirez
8783fb9495 Security: update Lua struct package for security.
During an auditing Apple found that the "struct" Lua package
we ship with Redis (http://www.inf.puc-rio.br/~roberto/struct/) contains
a security problem. A bound-checking statement fails because of integer
overflow. The bug exists since we initially integrated this package with
Lua, when scripting was introduced, so every version of Redis with
EVAL/EVALSHA capabilities exposed is affected.

Instead of just fixing the bug, the library was updated to the latest
version shipped by the author.
2018-06-13 12:40:46 +02:00
antirez
8cb9344b65 Security: fix Lua cmsgpack library stack overflow.
During an auditing effort, the Apple Vulnerability Research team discovered
a critical Redis security issue affecting the Lua scripting part of Redis.

-- Description of the problem

Several years ago I merged a pull request including many small changes at
the Lua MsgPack library (that originally I authored myself). The Pull
Request entered Redis in commit 90b6337c1, in 2014.
Unfortunately one of the changes included a variadic Lua function that
lacked the check for the available Lua C stack. As a result, calling the
"pack" MsgPack library function with a large number of arguments, results
into pushing into the Lua C stack a number of new values proportional to
the number of arguments the function was called with. The pushed values,
moreover, are controlled by untrusted user input.

This in turn causes stack smashing which we believe to be exploitable,
while not very deterministic, but it is likely that an exploit could be
created targeting specific versions of Redis executables. However at its
minimum the issue results in a DoS, crashing the Redis server.

-- Versions affected

Versions greater or equal to Redis 2.8.18 are affected.

-- Reproducing

Reproduce with this (based on the original reproduction script by
Apple security team):

https://gist.github.com/antirez/82445fcbea6d9b19f97014cc6cc79f8a

-- Verification of the fix

The fix was tested in the following way:

1) I checked that the problem is no longer observable running the trigger.
2) The Lua code was analyzed to understand the stack semantics, and that
actually enough stack is allocated in all the cases of mp_pack() calls.
3) The mp_pack() function was modified in order to show exactly what items
in the stack were being set, to make sure that there is no silent overflow
even after the fix.

-- Credits

Thank you to the Apple team and to the other persons that helped me
checking the patch and coordinating this communication.
2018-06-13 12:40:46 +02:00
赵磊
59080f6023 Fix dictScan(): It can't scan all buckets when dict is shrinking. 2018-06-01 16:54:30 +02:00
dejun.xdj
ac2a824aa9 Fix redis-cli memory leak when sending set preference command. 2018-05-29 12:46:27 +02:00
dejun.xdj
c7197ff50f Check if the repeat value is positive in while loop of cliSendCommand().
In case that the incoming repeat parameter is negative and causes a
deadless loop.
2018-05-29 12:46:27 +02:00
dejun.xdj
3f77777ffd Change the type of repeat argument to long for function cliSendCommand.
To be in consistent with the original definition.
2018-05-29 12:46:27 +02:00
dejun.xdj
7a565d7257 Fix negtive repeat command value issue.
If command like "-1 set a b" is sent with redis-cli, it will cause a deadless loop. So some repeat value checking logic is added to avoid this.
2018-05-29 12:46:27 +02:00
dejun.xdj
64bf60fb52 Detect and stop saving history for auth command with repeat option.
Put the repeat option checking code a little forward to avoid repeat logic.
2018-05-29 12:46:27 +02:00
dejun.xdj
5bed12aa03 Change the warning message a little bit to avoid trademark issuses. 2018-05-29 12:45:43 +02:00
dejun.xdj
d71c49610b Stop saving auth command in redis-cli history. 2018-05-29 12:45:20 +02:00
dejun.xdj
fca99e413a Add warning message when using password on command line 2018-05-29 12:45:11 +02:00
antirez
01407a3a42 Don't expire keys while loading RDB from AOF preamble.
The AOF tail of a combined RDB+AOF is based on the premise of applying
the AOF commands to the exact state that there was in the server while
the RDB was persisted. By expiring keys while loading the RDB file, we
change the state, so applying the AOF tail later may change the state.

Test case:

* Time1: SET a 10
* Time2: EXPIREAT a $time5
* Time3: INCR a
* Time4: PERSIT A. Start bgrewiteaof with RDB preamble. The value of a is 11 without expire time.
* Time5: Restart redis from the RDB+AOF: consistency violation.

Thanks to @soloestoy for providing the patch.
Thanks to @trevor211 for the original issue report and the initial fix.

Check issue #4950 for more info.
2018-05-29 12:44:09 +02:00
WuYunlong
fb5408cf68 Fix rdb save by allowing dumping of expire keys, so that when
we add a new slave, and do a failover, eighter by manual or
not, other local slaves will delete the expired keys properly.
2018-05-29 12:44:05 +02:00
antirez
0b8b6df472 Backport hiredis issue 525 fix to compile on FreeBSD.
Close #4947.
2018-05-29 12:44:01 +02:00
antirez
e98627c5b5 Add INIT INFO to the provided init script. 2018-05-23 17:19:20 +02:00
antirez
17f5de896a Fix ae.c when a timer finalizerProc adds an event.
While this feature is not used by Redis, ae.c implements the ability for
a timer to call a finalizer callback when an timer event is deleted.
This feature was bugged since the start, and because it was never used
we never noticed a problem. However Anthony LaTorre was using the same
library in order to implement a different system: he found a bug that he
describes as follows, and which he fixed with the patch in this commit,
sent me by private email:

    --- Anthony email ---

've found one bug in the current implementation of the timed events.
It's possible to lose track of a timed event if an event is added in
the finalizerProc of another event.

For example, suppose you start off with three timed events 1, 2, and
3. Then the linked list looks like:

3 -> 2 -> 1

Then, you run processTimeEvents and events 2 and 3 finish, so now the
list looks like:

-1 -> -1 -> 2

Now, on the next iteration of processTimeEvents it starts by deleting
the first event, and suppose this finalizerProc creates a new event,
so that the list looks like this:

4 -> -1 -> 2

On the next iteration of the while loop, when it gets to the second
event, the variable prev is still set to NULL, so that the head of the
event loop after the next event will be set to 2, i.e. after deleting
the next event the event loop will look like:

2

and the event with id 4 will be lost.

I've attached an example program to illustrate the issue. If you run
it you will see that it prints:

```
foo id = 0
spam!
```

But if you uncomment line 29 and run it again it won't print "spam!".

    --- End of email ---

Test.c source code is as follows:

    #include "ae.h"
    #include <stdio.h>

    aeEventLoop *el;

    int foo(struct aeEventLoop *el, long long id, void *data)
    {
	printf("foo id = %lld\n", id);

	return AE_NOMORE;
    }

    int spam(struct aeEventLoop *el, long long id, void *data)
    {
	printf("spam!\n");

	return AE_NOMORE;
    }

    void bar(struct aeEventLoop *el, void *data)
    {
	aeCreateTimeEvent(el, 0, spam, NULL, NULL);
    }

    int main(int argc, char **argv)
    {
	el = aeCreateEventLoop(100);

	//aeCreateTimeEvent(el, 0, foo, NULL, NULL);
	aeCreateTimeEvent(el, 0, foo, NULL, bar);

	aeMain(el);

	return 0;
    }

Anthony fixed the problem by using a linked list for the list of timers, and
sent me back this patch after he tested the code in production for some time.
The code looks sane to me, so committing it to Redis.
2018-05-23 17:19:11 +02:00
antirez
266e6423bf Sentinel: fix delay in detecting ODOWN.
See issue #2819 for details. The gist is that when we want to send INFO
because we are over the time, we used to send only INFO commands, no
longer sending PING commands. However if a master fails exactly when we
are about to send an INFO command, the PING times will result zero
because the PONG reply was already received, and we'll fail to send more
PINGs, since we try only to send INFO commands: the failure detector
will delay until the connection is closed and re-opened for "long
timeout".

This commit changes the logic so that we can send the three kind of
messages regardless of the fact we sent another one already in the same
code path. It could happen that we go over the message limit for the
link by a few messages, but this is not significant. However now we'll
not introduce delays in sending commands just because there was
something else to send at the same time.
2018-05-23 17:18:23 +02:00
zhaozhao.zz
eafaf17269 AOF & RDB: be compatible with rdbchecksum no 2018-05-23 17:18:18 +02:00
huijing.whj
4630da375c fix int overflow problem in freeMemoryIfNeeded 2018-05-08 17:28:21 +02:00
antirez
3150c67244 Redis 4.0.9 2018-03-26 18:04:15 +02:00