Bug 2013499 (CVE-2021-32765) - CVE-2021-32765 hiredis: an integer overflow may occur if provided maliciously crafted or corrupted RESP mult-bulk protocol data
Summary: CVE-2021-32765 hiredis: an integer overflow may occur if provided maliciously...
Keywords:
Status: NEW
Alias: CVE-2021-32765
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2013502
TreeView+ depends on / blocked
 
Reported: 2021-10-13 04:45 UTC by Marian Rehak
Modified: 2021-11-02 15:42 UTC (History)
19 users (show)

Fixed In Version: hiredis 1.0.1
Doc Type: If docs needed, set a value
Doc Text:
An integer overflow flaw when parsing array replies was found in hiredis, which leads to a buffer overflow and subsequent code execution. This flaw allows a remote attacker to execute arbitrary commands and craft a malicious payload to execute commands on the system. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2021-10-13 04:45:39 UTC
Hiredis is vulnurable to integer overflow if provided maliciously crafted or corrupted `RESP` `mult-bulk` protocol data. When parsing `multi-bulk` (array-like) replies, hiredis fails to check if `count * sizeof(redisReply*)` can be represented in `SIZE_MAX`. If it can not, and the `calloc()` call doesn't itself make this check, it would result in a short allocation and subsequent buffer overflow.

Upstream Advisory:

https://github.com/redis/hiredis/security/advisories/GHSA-hfm9-39pp-55p2


Note You need to log in before you can comment on or make changes to this bug.