[redis]github-141-1 Report

https://github.com/antirez/redis/issues/141

It turns out there are two bugs causing two failures in this ticket. This one is about the first failure.

1. Symptom

A special client query might overflow the query buffer in the client structure and crash the client.

1.1 Severity

critical

1.2 Was there exception thrown?

Yes. A bad query format detected (server side) but not logged; client Crash.

1.2.1 Were there multiple exceptions?

yes

1.3 Scope of the failure

Single client

2. How to reproduce this failure

2.0 Version

redis-2.4.0-rc7

2.1 Configuration

Standard

2.2 Reproduction procedure

1. send a query starts with “\x00” (feature start)

2. Keep writing to this query stream

You should observe this query eventually will cause the client to crash.

2.2.1 Timing order

single event

2.2.2 Events order externally controllable?

Yes

2.3 Can the logs tell how to reproduce the failure?

Yes.

2.4 How many machines needed?

2. (client + server)

3. Diagnosis procedure

3.1 Detailed Symptom (where you start)

Crash, but the stack trace is not super useful.

3.2 Backward inference

It’s hard to trace all the way to the beginning of the user’s query (where the bad format occurs).

4. Root cause

If a query startw with “\x00”, Redis was expecting to see a newline. Since it never arrived, it will overflow the query buffer and caused crash.

The interesting thing is Redis already checked the error, but it didn’t log nor handle it.

4.1 Category:

Incorrect error handling