Re: [update] redis 6.0.9

Tue, 27 Oct 2020 11:33:24 -0700 

On Tue, Oct 27, 2020 at 07:18:30PM +0100, Jeremie Courreges-Anglas wrote:
> On Tue, Oct 27 2020, Theo Buehler <t...@theobuehler.org> wrote:
> > Raltively simple update to Redis 6.0.9.
> >
> > Upgrade urgency is MODERATE due to a local patch for zmalloc. Thanks to
> > the upstream fix, we can now remove it. We need a new trivial time_t
> > patch.
> 
> [...]
> 
> > Index: patches/patch-src_debug_c
> > ===================================================================
> > RCS file: patches/patch-src_debug_c
> > diff -N patches/patch-src_debug_c
> > --- /dev/null       1 Jan 1970 00:00:00 -0000
> > +++ patches/patch-src_debug_c       27 Oct 2020 12:59:32 -0000
> > @@ -0,0 +1,16 @@
> > +$OpenBSD$
> > +
> > +time_t is long long on OpenBSD
> > +
> > +Index: src/debug.c
> > +--- src/debug.c.orig
> > ++++ src/debug.c
> > +@@ -408,7 +408,7 @@ NULL
> > +     } else if (!strcasecmp(c->argv[1]->ptr,"segfault")) {
> > +         *((char*)-1) = 'x';
> > +     } else if (!strcasecmp(c->argv[1]->ptr,"panic")) {
> > +-        serverPanic("DEBUG PANIC called at Unix time %ld", time(NULL));
> > ++        serverPanic("DEBUG PANIC called at Unix time %lld", time(NULL));
> 
> The preferred approach would be
> 
> ++        serverPanic("DEBUG PANIC called at Unix time %lld", (long 
> long)time(NULL));
> 
> which can usually be pushed upstream.  redis seems to use "long long"
> already so it shouldn't be a problem.

Alright I'll add the cast before commit.

There's another time_t patch in the port already. If you see a nicer
variant for that (should we just use long long instead of time_t?), feel
free to fix that.

$OpenBSD: patch-src_networking_c,v 1.4 2020/09/03 04:29:27 tb Exp $

time_t is long long, so use llabs to avoid truncation

Index: src/networking.c
--- src/networking.c.orig
+++ src/networking.c
@@ -2651,7 +2651,7 @@ void securityWarningCommand(client *c) {
     static time_t logged_time;
     time_t now = time(NULL);
 
-    if (labs(now-logged_time) > 60) {
+    if (llabs(now-logged_time) > 60) {
         serverLog(LL_WARNING,"Possible SECURITY ATTACK detected. It looks like 
somebody is sending POST or Host: commands to Redis. This is likely due to an 
attacker attempting to use Cross Protocol Scripting to compromise your Redis 
instance. Connection aborted.");
         logged_time = now;
     }

Reply via email to