fix: Specia Redis directives can cause pika service to crash

[YuCai18]

修复bug #3092：解决导致pika服务崩溃的错误漏洞

执行GETRANGE key1 1 4294967296两次后服务崩溃的原因

• 问题分析:大的end值在传递给Redis缓存层之前没有进行适当的验证；PikaCache::GetRange直接委托给缓存而不进行边界检查；尝试创建超大字符串时内存分配失败。
• 下图是连续执行两次GETRANGE key1 1 4294967296之后pika服务挂掉的堆栈信息:

执行SETRANGE key1 9223372036854775757 value2后服务崩溃的原因

• 问题分析:偏移值9223372036854775757接近LLONG_MAX，与值长度计算结合时导致整数溢出和内存损坏。
• 下图是执行SETRANGE key1 9223372036854775757 value2之后pika服务挂掉的堆栈信息:

修改文件部分

• 重构了src/pika_cache.cc中的GetRange方法，添加了对start和end参数的边界检查；使用full_value变量存储string类型的实际长度，避免过度内存分配。
• 在conf/pika.conf中新增参数proto_max_bulk_len，即单条数据最大长度限制，其默认大小为512MB（与Redis一致）。
• 在include/pika_conf.h中新增了int64_t proto_max_bulk_len_ = 0;以及函数int64_t proto_max_bulk_len()；和void SetRsyncTimeoutMs(int64_t value)函数。
• 在src/pika_conf.cc中新增了GetConfInt64Human("proto-max-bulk-len",xxx)函数。
• 在src/pika_kv.cc的SetrangeCmd::DoInitial中新增读取配置文件pika_conf中proto-max-bulk-len参数的功能；处理了offset_的溢出问题，当offset_大小超过设定值抛出Error:"string exceeds maximum allowed size (proto-max-bulk-len)"；当offset大小小于0则抛出Error:"offset is out of range"。
• 在string_test.go文件中追加了测试用例并通过了测试。

Summary by CodeRabbit

Summary by CodeRabbit

• New Features

  • Introduced a configuration option to set the maximum allowed size for a single bulk string in the protocol.

• Bug Fixes

  • Improved error handling for string range commands to prevent crashes and ensure correct behavior with large indices or offsets.
  • Enhanced validation to prevent setting strings that exceed the configured maximum size.
  • Optimized substring retrieval to handle negative indices and avoid excessive memory allocation.

• Tests

  • Added integration tests to verify correct handling of edge cases for GETRANGE and SETRANGE commands.

[coderabbitai]

"""

Walkthrough

The updates introduce enhanced range handling and validation for cache and key-value operations. The GetRange method now processes string ranges manually, supporting negative indices and bounds checking. Additional validation and response size limits are enforced in the GetrangeCmd and SetrangeCmd commands to control memory usage and parameter validity. Integration tests were added to verify correct behavior and error handling for large indices and offsets. A new configuration parameter proto-max-bulk-len was added to limit maximum bulk string size.

Changes

File(s)	Change Summary
src/pika_cache.cc	Reimplemented PikaCache::GetRange to manually handle string ranges, negative indices, and bounds.
src/pika_kv.cc	Added validation in SetrangeCmd::DoInitial to reject negative offsets and prevent exceeding max string size; minor formatting in GetrangeCmd::Do.
conf/pika.conf, include/pika_conf.h, src/pika_conf.cc	Added new config parameter proto-max-bulk-len with getter/setter and loading logic to limit max bulk string size.
tests/integration/string_test.go	Added tests for GETRANGE with large end index and SETRANGE with large offset to verify error handling and prevent crashes; minor formatting fixes.

Suggested reviewers

• AlexStocks

Poem

In the cache where strings reside,
Ranges now are checked with pride.
Negative indices, bounds held tight,
No more overflows in sight!
Rabbits hop with memory keen—
Safe and swift, our code is clean.
🐇✨
"""

✨ Finishing Touches

• 📝 Generate Docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

src/pika_cache.cc (2)

367-371: Consider removing commented code or documenting the reason for keeping it.

The commented-out code should either be removed to avoid confusion or include a comment explaining why it's preserved for reference.

-// Status PikaCache::GetRange(std::string& key, int64_t start, int64_t end, std::string *value) {
-//   int cache_index = CacheIndex(key);
-//   std::lock_guard lm(*cache_mutexs_[cache_index]);
-//   return caches_[cache_index]->GetRange(key, start, end, value);
-// }
+// Previous implementation delegated directly to cache GetRange - removed due to crash issues

---

374-406: Manual range implementation looks correct but has performance implications.

The new implementation properly handles negative indices and bounds checking, which should prevent crashes. However, there are some considerations:

1. Performance impact: Retrieving the full string for every range operation may be inefficient for large strings with small ranges.
2. Edge case in line 383: Using full_value.size() directly as int64_t is safe but consider explicit casting for clarity.

Consider adding a size threshold to decide between full retrieval vs. direct range access:

Status PikaCache::GetRange(std::string& key, int64_t start, int64_t end, std::string *value) {
  int cache_index = CacheIndex(key);
  std::lock_guard lm(*cache_mutexs_[cache_index]);

+  // For small ranges on potentially large strings, consider optimized path
+  // Current implementation prioritizes safety over performance
  std::string full_value;
  auto s = caches_[cache_index]->Get(key, &full_value);
  if (!s.ok()) {
    return s;
  }
-  int64_t strlen = full_value.size();
+  int64_t strlen = static_cast<int64_t>(full_value.size());

src/pika_kv.cc (1)

1219-1230: Offset validation logic is sound but magic number needs documentation.

The validation correctly prevents negative offsets and potential integer overflow, which should help prevent crashes. However, the magic number 9223372036854775757 should be explained or defined as a constant.

Consider defining the magic number as a named constant:

+  // Maximum string size limit (near INT64_MAX with safety margin)
+  const int64_t MAX_STRING_SIZE = 9223372036854775757;
+  
   //6.9号新增
   if (offset_ < 0) {
     res_.SetRes(CmdRes::kInvalidInt, "offset is out of range");
     return;
   }
-  const int64_t MAX_STRING_SIZE = 9223372036854775757;
   value_ = argv_[3];
   if (offset_ > MAX_STRING_SIZE - static_cast<int64_t>(value_.size())) {
     res_.SetRes(CmdRes::kInvalidInt, "string exceeds maximum allowed size");
     return;
   }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bf7228b and c27e2f5.

📒 Files selected for processing (2)

• src/pika_cache.cc (1 hunks)
• src/pika_kv.cc (2 hunks)

🔇 Additional comments (1)

src/pika_kv.cc (1)

1143-1151: Clarify why range size validation is commented out.

The commented-out range size validation (512MB limit) should either be removed or documented with the reason for disabling it. If the validation was causing legitimate use cases to fail, consider a higher limit or different approach.

-  //6.6号新增
-  // 添加最大值限制
-  // const int64_t MAX_RANGE_SIZE = 512 * 1024 * 1024; // 512MB
-  // if (start_ < -MAX_RANGE_SIZE || start_ > MAX_RANGE_SIZE ||
-  //   end_ < -MAX_RANGE_SIZE || end_ > MAX_RANGE_SIZE) {
-  //   res_.SetRes(CmdRes::kInvalidInt, "Range index out of bounds");
-  //   return;
-  // }
+  // Range size validation removed - consider if input validation is needed elsewhere

[coderabbitai]

⚠️ Potential issue

Response size truncation logic has a bug.

There's a logical error in the truncation warning log - it logs the wrong size value. The substr.size() after truncation will always be MAX_RESPONSE_SIZE, not the original size.

   if (s_.ok() || s_.IsNotFound()) {
     //6.9号新增的
     const size_t MAX_RESPONSE_SIZE = 100 * 1024 * 1024; //100MB
+    size_t original_size = substr.size();
     if (substr.size() > MAX_RESPONSE_SIZE) {
       substr.resize(MAX_RESPONSE_SIZE);
-      LOG(WARNING) << "GETRANGE result truncated from " << substr.size() 
+      LOG(WARNING) << "GETRANGE result truncated from " << original_size 
                    << " to " << MAX_RESPONSE_SIZE << " bytes";
     }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	//6.9号新增的
	const size_t MAX_RESPONSE_SIZE = 100 * 1024 * 1024; //100MB
	if (substr.size() > MAX_RESPONSE_SIZE) {
	substr.resize(MAX_RESPONSE_SIZE);
	LOG(WARNING) << "GETRANGE result truncated from " << substr.size()
	<< " to " << MAX_RESPONSE_SIZE << " bytes";
	}
	if (s_.ok() || s_.IsNotFound()) {
	//6.9号新增的
	const size_t MAX_RESPONSE_SIZE = 100 * 1024 * 1024; //100MB
	size_t original_size = substr.size();
	if (substr.size() > MAX_RESPONSE_SIZE) {
	substr.resize(MAX_RESPONSE_SIZE);
	LOG(WARNING) << "GETRANGE result truncated from " << original_size
	<< " to " << MAX_RESPONSE_SIZE << " bytes";
	}
	// …rest of the code…
	}

🤖 Prompt for AI Agents

In src/pika_kv.cc around lines 1160 to 1166, the warning log after truncating
substr incorrectly logs substr.size() which is the size after truncation, not
the original size. To fix this, store the original size of substr before
resizing, then use that original size in the log message to accurately report
the truncation from the original size to MAX_RESPONSE_SIZE.

[Mixficsol]

这里把不需要的删掉

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

tests/integration/string_test.go (3)

304-310: Add the usual error-check before asserting the value

The surrounding tests always assert that .Err() is nil before checking .Val().
Doing the same here avoids silently passing when the command actually failed.

-	getRange := client.GetRange(ctx, "key1", 1, 4294967296)
-	Expect(getRange.Val()).To(Equal("bc"))
+	getRange := client.GetRange(ctx, "key1", 1, 4294967296)
+	Expect(getRange.Err()).NotTo(HaveOccurred())
+	Expect(getRange.Val()).To(Equal("bc"))

---

311-317: Tighten the negative-test assertion

Right now we only assert some error happened.
Matching the error string (or redis.Err* type) makes the test more robust and guards against unrelated failures.

-	setRange := client.SetRange(ctx, "key1", 9223372036854775757, "value2")
-	Expect(setRange.Err()).To(HaveOccurred())
+	setRange := client.SetRange(ctx, "key1", 9223372036854775757, "value2")
+	Expect(setRange.Err()).To(MatchError(ContainSubstring("ERR")))

---

816-833: Shrink the TTL & replace hard Sleep with Eventually to speed-up the suite

A fixed 11-second Sleep slows the integration run noticeably.
Using a shorter TTL (e.g. 2s) together with Gomega’s Eventually keeps the intent while cutting wall-clock time by >80 %.

-	err := client.SetEx(ctx, "x", "y", 10*time.Second).Err()
+	err := client.SetEx(ctx, "x", "y", 2*time.Second).Err()
@@
-	time.Sleep(11 * time.Second)
-	//sleep 10 second x still exists
+	Eventually(func() error {
+		return client.Get(ctx, "x").Err()
+	}, "3s", "100ms").Should(Equal(redis.Nil))
+
+	// ensure compaction is harmless in both Pika and vanilla Redis
+	_ = client.Do(ctx, "compact").Err()

This change keeps behaviour identical (key expires and is purged) while keeping the full suite much faster and less brittle.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c27e2f5 and 7ebfac5.

📒 Files selected for processing (3)

• src/pika_cache.cc (1 hunks)
• src/pika_kv.cc (2 hunks)
• tests/integration/string_test.go (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• src/pika_cache.cc
• src/pika_kv.cc

[Mixficsol]

这里将end=0即可，不需要return

[Mixficsol]

这里少了一层判断start > end || strlen == 0

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

include/pika_conf.h (1)

170-173: Make the getter const for consistency

Almost every getter could technically be const, but adding const here at least keeps the new API tidy and signals immutability:

-  int64_t proto_max_bulk_len() {
+  int64_t proto_max_bulk_len() const {
     std::shared_lock l(rwlock_);
     return proto_max_bulk_len_;
   }

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7ebfac5 and 4f38703.

📒 Files selected for processing (3)

• conf/pika.conf (1 hunks)
• include/pika_conf.h (2 hunks)
• src/pika_kv.cc (2 hunks)

✅ Files skipped from review due to trivial changes (1)

• conf/pika.conf

🚧 Files skipped from review as they are similar to previous changes (1)

• src/pika_kv.cc

[coderabbitai]

🛠️ Refactor suggestion

⚠️ Potential issue

proto_max_bulk_len_ defaults to 0 and has no setter – this will break SETRANGE/GETRANGE limits

SetrangeCmd::DoInitial() now checks
offset + value_len > conf->proto_max_bulk_len().
With the member default-initialised to 0 and no setter ever exposed, any non-zero request will trigger the “value is too long” error unless the constructor / Load() explicitly overwrites the field — easy to miss and hard to change at runtime.

Action items

-  int64_t proto_max_bulk_len_ = 0;
+  // Default 512 MiB – consistent with Redis `proto-max-bulk-len`
+  int64_t proto_max_bulk_len_ = 512 * 1024 * 1024;

and expose a corresponding setter / config-rewrite path:

+ void SetProtoMaxBulkLen(const int64_t value) {
+   std::lock_guard l(rwlock_);
+   TryPushDiffCommands("proto-max-bulk-len", std::to_string(value));
+   proto_max_bulk_len_ = value;
+ }

Without this, large-range operations will incorrectly fail in fresh deployments and the limit cannot be tuned dynamically.

Also applies to: 1042-1043

🤖 Prompt for AI Agents

In include/pika_conf.h around lines 170 to 173 and also lines 1042 to 1043, the
proto_max_bulk_len_ member defaults to 0 and lacks a setter, causing all
non-zero length SETRANGE/GETRANGE requests to fail. To fix this, add a setter
method for proto_max_bulk_len_ and ensure it can be updated dynamically through
configuration reload or a dedicated config rewrite path, so the limit can be
properly initialized and adjusted at runtime.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 15bb29c and a4da7bc.

📒 Files selected for processing (3)

• include/pika_conf.h (3 hunks)
• src/pika_conf.cc (1 hunks)
• tests/integration/string_test.go (3 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• include/pika_conf.h
• tests/integration/string_test.go

🧰 Additional context used

🧬 Code Graph Analysis (1)

src/pika_conf.cc (1)

src/pstd/src/base_conf.cc (2)

• GetConfInt64Human (133-153)
• GetConfInt64Human (133-133)

[coderabbitai]

🛠️ Refactor suggestion

Add an upper-bound and safeguard against huge user-supplied values

Good to see proto-max-bulk-len being parsed with GetConfInt64Human and defaulting to Redis’ 512 MB.
However, if an operator mis-configures the value (e.g. 10G) nothing prevents the server from accepting it and later trying to allocate >10 GB for a single bulk string, defeating the DoS protection this PR intends to add.

Consider clamping the value to a reasonable hard ceiling (e.g. PIKA_MAX_PROTO_BULK_LEN, 1 GB?) and logging a warning when the user-provided value exceeds that ceiling:

+static const int64_t kMaxProtoBulkLen = 1LL << 30;   // 1 GB
 GetConfInt64Human("proto-max-bulk-len", &proto_max_bulk_len_);
 if (proto_max_bulk_len_ <= 0) {
   proto_max_bulk_len_ = 512 * 1024 * 1024;  // 512MB
+} else if (proto_max_bulk_len_ > kMaxProtoBulkLen) {
+  LOG(WARNING) << "proto-max-bulk-len capped from " << proto_max_bulk_len_
+               << " to " << kMaxProtoBulkLen;
+  proto_max_bulk_len_ = kMaxProtoBulkLen;
 }

This keeps memory usage predictable and aligns with the protective spirit of the patch.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	GetConfInt64Human("proto-max-bulk-len", &proto_max_bulk_len_);
	if (proto_max_bulk_len_ <= 0) {
	proto_max_bulk_len_ = 512 * 1024 * 1024; // 512MB
	}
	// Hard cap to prevent unbounded bulk allocations (1 GB)
	static const int64_t kMaxProtoBulkLen = 1LL << 30;
	GetConfInt64Human("proto-max-bulk-len", &proto_max_bulk_len_);
	if (proto_max_bulk_len_ <= 0) {
	proto_max_bulk_len_ = 512 * 1024 * 1024; // 512MB
	} else if (proto_max_bulk_len_ > kMaxProtoBulkLen) {
	LOG(WARNING) << "proto-max-bulk-len capped from " << proto_max_bulk_len_
	<< " to " << kMaxProtoBulkLen;
	proto_max_bulk_len_ = kMaxProtoBulkLen;
	}

🤖 Prompt for AI Agents

In src/pika_conf.cc around lines 369 to 372, the code sets proto_max_bulk_len_
from user input without an upper limit, risking excessive memory allocation. Add
a constant defining a maximum allowed value (e.g., PIKA_MAX_PROTO_BULK_LEN as 1
GB), then clamp proto_max_bulk_len_ to this maximum if the user-supplied value
exceeds it. Also, log a warning message when clamping occurs to inform the
operator about the adjustment.