diff options
| author | Karthik Kamath <karthik.kamath@oracle.com> | 2016-11-10 15:11:57 +0530 |
|---|---|---|
| committer | Karthik Kamath <karthik.kamath@oracle.com> | 2016-11-10 15:11:57 +0530 |
| commit | a63185e8638365d401732803ba93b6b149d33c65 (patch) | |
| tree | 88854659041afe8608a9dc11cd192072cea6b9db | |
| parent | 2f2103d540f86e326b22cef39183e8e0985da138 (diff) | |
| download | mariadb-git-a63185e8638365d401732803ba93b6b149d33c65.tar.gz | |
BUG#24437124: POSSIBLE BUFFER OVERFLOW ON CREATE TABLE
ANALYSIS:
=========
'CREATE TABLE' query with a large value for 'CONNECTION'
string reports an incorrect error.
The length of connection string is stored in .frm in two
bytes (max value= 65535). When the string length exceeds
the max value, the length is truncated to fit the two
bytes limit. Further processing leads to reading only a
part of the string as the length stored is incorrect. The
remaining part of the string is treated as engine type and
hence results in an error.
FIX:
====
We are now restricting the connection string length to 1024.
An appropriate error is reported if the length crosses this
limit.
NOTE:
=====
The 'PASSWORD' table option is documented as unused and
processed within a dead code. Hence it will not cause
similar issue with large strings.
| -rw-r--r-- | include/mysql_com.h | 3 | ||||
| -rw-r--r-- | sql/sql_table.cc | 15 |
2 files changed, 17 insertions, 1 deletions
diff --git a/include/mysql_com.h b/include/mysql_com.h index f2345be6fd6..5cd40915743 100644 --- a/include/mysql_com.h +++ b/include/mysql_com.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -26,6 +26,7 @@ #define USERNAME_CHAR_LENGTH 16 #define NAME_LEN (NAME_CHAR_LEN*SYSTEM_CHARSET_MBMAXLEN) #define USERNAME_LENGTH (USERNAME_CHAR_LENGTH*SYSTEM_CHARSET_MBMAXLEN) +#define CONNECT_STRING_MAXLEN 1024 #define MYSQL_AUTODETECT_CHARSET_NAME "auto" diff --git a/sql/sql_table.cc b/sql/sql_table.cc index 49f05c6116e..58bcf5ca1d4 100644 --- a/sql/sql_table.cc +++ b/sql/sql_table.cc @@ -2851,6 +2851,21 @@ mysql_prepare_create_table(THD *thd, HA_CREATE_INFO *create_info, uint total_uneven_bit_length= 0; DBUG_ENTER("mysql_prepare_create_table"); + LEX_STRING* connect_string = &create_info->connect_string; + if (connect_string->length != 0 && + connect_string->length > CONNECT_STRING_MAXLEN && + (system_charset_info->cset->charpos(system_charset_info, + connect_string->str, + (connect_string->str + + connect_string->length), + CONNECT_STRING_MAXLEN) + < connect_string->length)) + { + my_error(ER_WRONG_STRING_LENGTH, MYF(0), + connect_string->str, "CONNECTION", CONNECT_STRING_MAXLEN); + DBUG_RETURN(TRUE); + } + select_field_pos= alter_info->create_list.elements - select_field_count; null_fields=blob_columns=0; create_info->varchar= 0; |