From 49e5a36c990d46cbe692b91a3dc2708abd8d434c Mon Sep 17 00:00:00 2001
From: n0b0dy <n0b0dypku@gmail.com>
Date: Sun, 7 Jul 2019 16:16:15 +0000
Subject: [PATCH] Fix buffer overflow

---
 src/module.c | 78 +++++++++++++++++++++++++---------------------------
 1 file changed, 38 insertions(+), 40 deletions(-)

diff --git a/src/module.c b/src/module.c
index 57db63d..4027a3a 100644
--- a/src/module.c
+++ b/src/module.c
@@ -1,44 +1,42 @@
-#include "../redismodule.h"
-#include "../rmutil/util.h"
-#include "../rmutil/strings.h"
-#include "../rmutil/test_util.h"
-
-
-int ExecCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
-
-  if (argc != 2) {
-    return RedisModule_WrongArity(ctx);
-  }
-  RedisModule_AutoMemory(ctx);
-
-  size_t cmd_len;
-  char *cmd = RedisModule_StringPtrLen(argv[1], &cmd_len);
-
-  FILE *fp = popen(cmd, "r");
-  char buf[1024] = {0}, output[10240] = {0};
-
-  while (fgets(buf, sizeof(buf), fp) != 0) {
-      strcat(output, buf);
-  }
-
-  RedisModuleString *ret = RedisModule_CreateString(ctx, output, strlen(output));
-  RedisModule_ReplyWithString(ctx, ret);
-  pclose(fp);
-  return REDISMODULE_OK;
+#include "redismodule.h"
+#include <stdio.h> 
+#include <sys/types.h> 
+#include <unistd.h>  
+#include <stdlib.h> 
+#include <errno.h>   
+#include <sys/wait.h>
+
+
+int DoCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+	if (argc == 2) {
+		size_t cmd_len;
+		size_t size = 1024;
+		char *cmd = RedisModule_StringPtrLen(argv[1], &cmd_len);
+
+		FILE *fp = popen(cmd, "r");
+		char *buf, *output;
+		buf = (char *)malloc(size);
+		output = (char *)malloc(size);
+		while ( fgets(buf, sizeof(buf), fp) != 0 ) {
+			if (strlen(buf) + strlen(output) >= size) {
+				output = realloc(output, size<<2);
+				size <<= 1;
+			}
+			strcat(output, buf);
+		}
+		RedisModuleString *ret = RedisModule_CreateString(ctx, output, strlen(output));
+		RedisModule_ReplyWithString(ctx, ret);
+		pclose(fp);
+	}
+    return REDISMODULE_OK;
 }
 
+int RedisModule_OnLoad(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+    if (RedisModule_Init(ctx,"system",1,REDISMODULE_APIVER_1)
+        == REDISMODULE_ERR) return REDISMODULE_ERR;
 
-int RedisModule_OnLoad(RedisModuleCtx *ctx) {
-
-  if (RedisModule_Init(ctx, "system", 1, REDISMODULE_APIVER_1) ==
-      REDISMODULE_ERR) {
-    return REDISMODULE_ERR;
-  }
-
-  if (RedisModule_CreateCommand(ctx, "system.exec", ExecCommand, "readonly",
-                                1, 1, 1) == REDISMODULE_ERR) {
-    return REDISMODULE_ERR;
-  }
-
-  return REDISMODULE_OK;
+    if (RedisModule_CreateCommand(ctx, "system.exec",
+        DoCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
+        return REDISMODULE_ERR;
+    return REDISMODULE_OK;
 }