Describe the bug
A potential memory leak in the function trackingRememberKeys, affecting redis-server.
To reproduce
- HERE
result gets initialized, with result->keys set to NULL and result->numkeys set to MAX_KEYS_BUFFER(6)
- HERE
getKeysFromCommand gets called, with &result as the last parameter.
- HERE For commands such as
PUBSUB NUMSUB, getKeysUsingLegacyRangeSpec gets called with result as the last parameter.
- HERE
getKeysPrepareResult gets called. For commands with recurring keys, count here can exceed MAX_KEYS_BUFFER(6)
- HERE Since
result->keys was set to NULL, here result->keys points to result->keysbuf
- HERE Condition
numkeys > result->size can be satisfied, as count here can exceed MAX_KEYS_BUFFER(6) in step 4.
- HERE Since
result->keys == result->keysbuf, result->keys now points to heap-allocated memory.
- HERE Back to the function
trackingRememberKeys, if commands are from the PUBSUB group, the function returns without calling getKeysFreeResult(&result).
Expected behavior
HERE the function trackingRememberKeys should return after calling getKeysFreeResult(&result).
Describe the bug
A potential memory leak in the function
trackingRememberKeys, affecting redis-server.To reproduce
resultgets initialized, withresult->keysset toNULLandresult->numkeysset toMAX_KEYS_BUFFER(6)getKeysFromCommandgets called, with&resultas the last parameter.PUBSUB NUMSUB,getKeysUsingLegacyRangeSpecgets called withresultas the last parameter.getKeysPrepareResultgets called. For commands with recurring keys,counthere can exceedMAX_KEYS_BUFFER(6)result->keyswas set toNULL, hereresult->keyspoints toresult->keysbufnumkeys > result->sizecan be satisfied, ascounthere can exceedMAX_KEYS_BUFFER(6) in step 4.result->keys == result->keysbuf,result->keysnow points to heap-allocated memory.trackingRememberKeys, if commands are from thePUBSUBgroup, the function returns without callinggetKeysFreeResult(&result).Expected behavior
HERE the function
trackingRememberKeysshould return after callinggetKeysFreeResult(&result).