shreemaan-abhishek commented on PR #13483: URL: https://github.com/apache/apisix/pull/13483#issuecomment-4666031808
Good catch, thanks. You're right that `read_len()` is shared and the bulk-length path still accepted negative tokens. Pushed e332f8eaf: `read_req()` now rejects `n < 0` right before each bulk `sk:read(n + 2)` — both the command bulk length and the per-argument bulk length — so a negative length can no longer reach `ffi_str(p, n)`. `read_len()` stays as the lexical check (a decimal integer token) while `read_req()` does the semantic range checks (`narg >= 1`, bulk `n >= 0`). Added regression tests TEST 16 (negative command bulk length, `*1\r\n$-1\r\n`) and TEST 17 (negative argument bulk length, `*2\r\n$3\r\nGET\r\n$-1\r\n`). -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
