diff options
| author | Staale Smedseng <staale.smedseng@sun.com> | 2009-07-01 14:09:44 +0200 |
|---|---|---|
| committer | Staale Smedseng <staale.smedseng@sun.com> | 2009-07-01 14:09:44 +0200 |
| commit | 3cd431d553d722ec56db2635d88b8bb17087952a (patch) | |
| tree | 05ab61fb6e8e8f01be26c6067261f9e4a0e8be0a | |
| parent | 67771508836edda4bad393f1a00d89cd419e3814 (diff) | |
| download | mariadb-git-3cd431d553d722ec56db2635d88b8bb17087952a.tar.gz | |
Bug #45790 Potential DoS vector: Writing of user input to log
without proper formatting
The problem is that a suitably crafted database identifier
supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
and thereby a denial of service. The database name is printed
to the log without using a format string, so potential
attackers can control the behavior of my_b_vprintf() by
supplying their own format string. A CREATE or DROP privilege
would be required.
This patch supplies a format string to the printing of the
database name. A test case is added to mysql_client_test.
sql/sql_parse.cc:
Added format strings.
tests/mysql_client_test.c:
Added new test case.
| -rw-r--r-- | sql/sql_parse.cc | 4 | ||||
| -rw-r--r-- | tests/mysql_client_test.c | 22 |
2 files changed, 24 insertions, 2 deletions
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 0b7d0e6ee10..bcde4a971d0 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -2096,7 +2096,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd, } if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db))) break; - mysql_log.write(thd,command,packet); + mysql_log.write(thd, command, "%s", db); bzero(&create_info, sizeof(create_info)); mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db), &create_info, 0); @@ -2121,7 +2121,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd, ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0)); break; } - mysql_log.write(thd,command,db); + mysql_log.write(thd, command, "%s", db); mysql_rm_db(thd, db, 0, 0); break; } diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c index 9dfacb7436d..ce1a1a99b04 100644 --- a/tests/mysql_client_test.c +++ b/tests/mysql_client_test.c @@ -12063,6 +12063,27 @@ static void test_bug6081() } +/* + Verify that bogus database names are handled properly with + COM_CREATE_DB and COM_DROP_DB, i.e., cannot cause SIGSEGV through + the use of printf specifiers in the database name. +*/ +static void test_bug45790() +{ + const char* bogus_db = "%s%s%s%s%s%s%s"; + int rc; + + myheader("test_bug45790"); + rc= simple_command(mysql, COM_CREATE_DB, bogus_db, + (ulong)strlen(bogus_db), 0); + myquery(rc); + + rc= simple_command(mysql, COM_DROP_DB, bogus_db, + (ulong)strlen(bogus_db), 0); + myquery(rc); +} + + static void test_bug6096() { MYSQL_STMT *stmt; @@ -16829,6 +16850,7 @@ static struct my_tests_st my_tests[]= { { "test_bug6059", test_bug6059 }, { "test_bug6046", test_bug6046 }, { "test_bug6081", test_bug6081 }, + { "test_bug45790",test_bug45790 }, { "test_bug6096", test_bug6096 }, { "test_datetime_ranges", test_datetime_ranges }, { "test_bug4172", test_bug4172 }, |