Skip to content

Commit 3c48a33

Browse files
michael-grundermichael-grunder
committed
Protect session.gc_maxlifetime from integer overflow
1 parent 2c35e43 commit 3c48a33

File tree

1 file changed

+14
-3
lines changed

1 file changed

+14
-3
lines changed

redis_session.c

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -121,6 +121,17 @@ redis_pool_free(redis_pool *pool) {
121121
efree(pool);
122122
}
123123

124+
/* Retreive session.gc_maxlifetime from php.ini protecting against an integer overflow */
125+
static int session_gc_maxlifetime() {
126+
zend_long value = INI_INT("session.gc_maxlifetime");
127+
if (value > INT_MAX) {
128+
php_error_docref(NULL, E_NOTICE, "session.gc_maxlifetime overflows INT_MAX, truncating.");
129+
return INT_MAX;
130+
}
131+
132+
return value;
133+
}
134+
124135
/* Send a command to Redis. Returns byte count written to socket (-1 on failure) */
125136
static int redis_simple_cmd(RedisSock *redis_sock, char *cmd, int cmdlen,
126137
char **reply, int *replylen)
@@ -656,7 +667,7 @@ PS_UPDATE_TIMESTAMP_FUNC(redis)
656667

657668
/* send EXPIRE command */
658669
zend_string *session = redis_session_key(redis_sock, skey, skeylen);
659-
cmd_len = REDIS_SPPRINTF(&cmd, "EXPIRE", "Sd", session, INI_INT("session.gc_maxlifetime"));
670+
cmd_len = REDIS_SPPRINTF(&cmd, "EXPIRE", "Sd", session, session_gc_maxlifetime());
660671
zend_string_release(session);
661672

662673
if (redis_sock_write(redis_sock, cmd, cmd_len) < 0) {
@@ -753,7 +764,7 @@ PS_WRITE_FUNC(redis)
753764
/* send SET command */
754765
zend_string *session = redis_session_key(redis_sock, skey, skeylen);
755766

756-
cmd_len = REDIS_SPPRINTF(&cmd, "SETEX", "Sds", session, INI_INT("session.gc_maxlifetime"), sval, svallen);
767+
cmd_len = REDIS_SPPRINTF(&cmd, "SETEX", "Sds", session, session_gc_maxlifetime(), sval, svallen);
757768
zend_string_release(session);
758769

759770
if (!write_allowed(redis_sock, &pool->lock_status) || redis_sock_write(redis_sock, cmd, cmd_len ) < 0) {
@@ -1046,7 +1057,7 @@ PS_WRITE_FUNC(rediscluster) {
10461057
/* Set up command and slot info */
10471058
skey = cluster_session_key(c, ZSTR_VAL(key), ZSTR_LEN(key), &skeylen, &slot);
10481059
cmdlen = redis_spprintf(NULL, NULL, &cmd, "SETEX", "sds", skey,
1049-
skeylen, INI_INT("session.gc_maxlifetime"),
1060+
skeylen, session_gc_maxlifetime(),
10501061
ZSTR_VAL(val), ZSTR_LEN(val));
10511062
efree(skey);
10521063

0 commit comments

Comments
 (0)