From 7fb9e2b4ce0f29fe0eeeb5f74b1310e54144f63a Mon Sep 17 00:00:00 2001
From: antirez <antirez@gmail.com>
Date: Mon, 28 Jan 2019 18:27:41 +0100
Subject: [PATCH] ACL: reset the subcommands table on +@all / -@all.

This also is a bugfix because after -@all the previously enabled
subcommands would remain valid.
---
 src/acl.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/src/acl.c b/src/acl.c
index 132ad79a..5d264f1d 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -248,6 +248,17 @@ void ACLResetSubcommandsForCommand(user *u, unsigned long id) {
     }
 }
 
+/* Flush the entire table of subcommands. This is useful on +@all, -@all
+ * or similar to return back to the minimal memory usage (and checks to do)
+ * for the user. */
+void ACLResetSubcommands(user *u) {
+    if (u->allowed_subcommands == NULL) return;
+    for (int j = 0; j < USER_COMMAND_BITS_COUNT; j++)
+        if (u->allowed_subcommands[j]) zfree(u->allowed_subcommands[j]);
+    zfree(u->allowed_subcommands);
+    u->allowed_subcommands = NULL;
+}
+
 /* Set user properties according to the string "op". The following
  * is a description of what different strings will do:
  *
@@ -330,11 +341,13 @@ int ACLSetUser(user *u, const char *op, ssize_t oplen) {
     {
         memset(u->allowed_commands,255,sizeof(u->allowed_commands));
         u->flags |= USER_FLAG_ALLCOMMANDS;
+        ACLResetSubcommands(u);
     } else if (!strcasecmp(op,"nocommands") ||
                !strcasecmp(op,"-@all"))
     {
         memset(u->allowed_commands,0,sizeof(u->allowed_commands));
         u->flags &= ~USER_FLAG_ALLCOMMANDS;
+        ACLResetSubcommands(u);
     } else if (!strcasecmp(op,"nopass")) {
         u->flags |= USER_FLAG_NOPASS;
         listEmpty(u->passwords);