Fix getKeysUsingCommandTable() in the case of nagative arity.

This fixes a crash with Redis Cluster when OBJECT is mis-used, because getKeysUsingCommandTable() will call serverPanic() detecting we are accessing an invalid argument in the case "OBJECT foo" is called. This bug was introduced when OBJECT HELP was introduced, because the key argument is set fixed at index 2 in the command table, however now OBJECT may be called with an insufficient number of arguments to extract the key. The "Right Thing" would be to have a specific function to extract keys from the OBJECT command, however this is kinda of an overkill, so I preferred to make getKeysUsingCommandTable() more robust and just return no keys when it's not possible to honor the command table, because new commands are often added and also there are a number with an HELP subcommand violating the normal form, and crashing for this trivial reason or having many command-specific key extraction functions is not great.
2025-03-20 17:40:50 +00:00 · 2018-01-12 11:21:10 +01:00 · 2018-01-12 11:21:10 +01:00 · 2f8476df91
commit 2f8476df91
parent db7bd6fda9
1 changed files with 7 additions and 5 deletions
--- a/src/db.c
+++ b/src/db.c
@ -1152,11 +1152,13 @@ int *getKeysUsingCommandTable(struct redisCommand *cmd,robj **argv, int argc, in
    keys = zmalloc(sizeof(int)*((last - cmd->firstkey)+1));
    for (j = cmd->firstkey; j <= last; j += cmd->keystep) {
        if (j >= argc) {
-            /* Modules command do not have dispatch time arity checks, so
-             * we need to handle the case where the user passed an invalid
-             * number of arguments here. In this case we return no keys
-             * and expect the module command to report an arity error. */
-            if (cmd->flags & CMD_MODULE) {
+            /* Modules commands, and standard commands with a not fixed number
+             * of arugments (negative arity parameter) do not have dispatch
+             * time arity checks, so we need to handle the case where the user
+             * passed an invalid number of arguments here. In this case we
+             * return no keys and expect the command implementation to report
+             * an arity or syntax error. */
+            if (cmd->flags & CMD_MODULE || cmd->arity < 0) {
                zfree(keys);
                *numkeys = 0;
                return NULL;