Fix memory corruption in sharded pubsub unsubscribe

uriyage · uriyage · commit 644c7f2ed51e · 2025-05-25T09:16:24.000Z
This commit fixes two issues in pubsubUnsubscribeChannel that could lead to
memory corruption:

1. The 'found' variable was not initialized to NULL, causing the serverAssert
   to potentially pass incorrectly when the hashtable lookup failed, leading
   to memory corruption in subsequent operations.

2. When calculating the slot for a channel, we were using getKeySlot() which
   might use the current_client's slot if available. This is problematic when
   a client kills another client (e.g., via CLIENT KILL command) as the slot
   won't match the channel's actual slot.

The fix:
- Initialize 'found' to NULL
- Calculate the slot directly from the channel name using keyHashSlot()
  instead of relying on the current client's slot

Added a test case that reproduces the issue by having one client kill another
client that is subscribed to a sharded pubsub channel during a transaction.

Signed-off-by: Uri Yagelnik &lt;uriy@amazon.com&gt;
diff --git a/src/pubsub.c b/src/pubsub.c
@@ -341,9 +341,9 @@ int pubsubUnsubscribeChannel(client *c, robj *channel, int notify, pubsubtype ty
         retval = 1;
         /* Remove the client from the channel -> clients list hash table */
         if (server.cluster_enabled && type.shard) {
-            slot = getKeySlot(channel->ptr);
+            slot = keyHashSlot(channel->ptr, (int)sdslen(channel->ptr));
         }
-        void *found;
+        void *found = NULL;
         kvstoreHashtableFind(*type.serverPubSubChannels, slot, channel, &found);
         serverAssertWithInfo(c, NULL, found);
         clients = found;
diff --git a/tests/unit/cluster/sharded-pubsub.tcl b/tests/unit/cluster/sharded-pubsub.tcl
@@ -53,4 +53,37 @@ start_cluster 1 1 {tags {external:skip cluster}} {
         catch {[$replica EXEC]} err
         assert_match {EXECABORT*} $err
     }
+    
+    test "SSUBSCRIBE client killed during transaction" {
+        # Create two clients
+        set rd1 [valkey_deferring_client $primary_id]
+        set rd2 [valkey_deferring_client $primary_id]
+        
+        # Get client 1 ID
+        $rd1 client id
+        set rd1_id [$rd1 read]
+        puts "rd1_id $rd1_id"
+        # Client1 subscribes to a shard channel
+        $rd1 ssubscribe channel0
+        
+        # Wait for the subscription to be acknowledged
+        assert_equal {ssubscribe channel0 1} [$rd1 read]
+        # Client2 starts a transaction, sets a key
+        $rd2 multi
+        set multi_result [$rd2 read]
+        assert_equal {OK} $multi_result
+
+        $rd2 set k v
+        set result [$rd2 read]
+        assert_equal {QUEUED} $result
+        # Kill client1 inside client2's transaction
+        $rd2 client kill id $rd1_id
+        set result [$rd2 read]
+        assert_equal {QUEUED} $result
+
+        # Execute the transaction
+        $rd2 exec
+        set exec_result [$rd2 read]
+        assert_equal {OK 1} $exec_result "Transaction execution should return OK and kill count"
+    }
 }
