Memory Safety / malformed gossip data leading to memory corruption

PoC (conceptual proof of concept): Background: In Redis cluster gossip, nodes advertise other nodes by sending a gossip section containing nodename fields. If a node peddles an invalid nodename (invalid ID) and the receiver does not validate it, the invalid data could be incorporated into the cluster state, potentially leading to memory safety issues or crashes when the code assumes IDs are valid. Pre-fix exploit scenario (memory-safety risk): - A rogue node sends a gossip payload containing a node entry where nodename is invalid (does not conform to CLUSTER_NAMELEN and/or verifyClusterNodeId rules). - The receiver, before this patch, would process the entry and may propagate or store it in the cluster state, risking memory corruption or inconsistent state if invalid data is treated as a valid node. Proof of Concept (high-level steps): 1) Set up a small Redis cluster with at least 3 nodes (e.g., using Redis 8.6.x prior to this fix). 2) From a rogue node, craft a gossip message (PING/PONG gossip payload) in which one g[i].nodename contains an invalid ID (e.g., a 40-byte sequence that does not pass verifyClusterNodeId, such as all 0xFF bytes or random non-conforming data) and count = 1. 3) Deliver this crafted gossip to a healthy cluster node (via normal gossip channels or a controlled test harness). 4) Observe that, without the fix, the receiving node would process the invalid entry, potentially crashing or corrupting memory due to downstream assumptions about node IDs. 5) With the fix in place, the receiver detects the invalid ID via verifyGossipSectionNodeIds, logs a warning with the corrupted bytes, and discards the entire gossip section (returning early), preventing propagation and potential memory safety issues. Notes: - The PoC is conceptual because crafting and injecting internal cluster gossip messages requires a controlled environment and access to Redis internals. The patch explicitly prevents such propagation by validating IDs up-front and skipping processing when invalid IDs are found. - The vulnerability would be most visible as a crash or memory corruption in older builds that did not perform node-ID validation on incoming gossip.

diff --git a/src/cluster_legacy.c b/src/cluster_legacy.c index 8dee109df69..45e88efdda5 100644 --- a/src/cluster_legacy.c +++ b/src/cluster_legacy.c @@ -2043,6 +2043,41 @@ static void getClientPortFromGossip(clusterMsgDataGossip *g, int *tls_port, int } } +/* Returns a string with the byte representation of the node ID (i.e. nodename) + * along with 8 trailing bytes for debugging purposes. */ +char *getCorruptedNodeIdByteString(clusterMsgDataGossip *gossip_msg) { + const int num_bytes = CLUSTER_NAMELEN + 8; + /* Allocate enough room for 4 chars per byte + null terminator */ + char *byte_string = (char*) zmalloc((num_bytes*4) + 1); + const char *name_ptr = gossip_msg->nodename; + + /* Ensure we won't print beyond the bounds of the message */ + serverAssert(name_ptr + num_bytes <= (char*)gossip_msg + sizeof(clusterMsgDataGossip)); + + for (int i = 0; i < num_bytes; i++) { + snprintf(byte_string + 4*i, 5, "\\x%02hhX", name_ptr[i]); + } + return byte_string; +} + +/* Returns the number of nodes in the gossip with invalid IDs. */ +int verifyGossipSectionNodeIds(clusterMsgDataGossip *g, uint16_t count) { + int invalid_ids = 0; + for (int i = 0; i < count; i++) { + const char *nodename = g[i].nodename; + if (verifyClusterNodeId(nodename, CLUSTER_NAMELEN) != C_OK) { + invalid_ids++; + char *raw_node_id = getCorruptedNodeIdByteString(g); + serverLog(LL_WARNING, + "Received gossip about a node with invalid ID %.40s. For debugging purposes, " + "the 48 bytes including the invalid ID and 8 trailing bytes are: %s", + nodename, raw_node_id); + zfree(raw_node_id); + } + } + return invalid_ids; +} + /* Process the gossip section of PING or PONG packets. * Note that this function assumes that the packet is already sanity-checked * by the caller, not in the content of the gossip section, but in the @@ -2052,6 +2087,14 @@ void clusterProcessGossipSection(clusterMsg *hdr, clusterLink *link) { clusterMsgDataGossip *g = (clusterMsgDataGossip*) hdr->data.ping.gossip; clusterNode *sender = link->node ? link->node : clusterLookupNode(hdr->sender, CLUSTER_NAMELEN); + /* Abort if the gossip contains invalid node IDs to avoid adding incorrect information to + * the nodes dictionary. An invalid ID indicates memory corruption on the sender side. */ + int invalid_ids = verifyGossipSectionNodeIds(g, count); + if (invalid_ids) { + serverLog(LL_WARNING, "Node %.40s (%s) gossiped %d nodes with invalid IDs.", sender->name, sender->human_nodename, invalid_ids); + return; + } + while(count--) { uint16_t flags = ntohs(g->flags); clusterNode *node;