Fix for bug #53237: mysql_list_fields/COM_FIELD_LIST stack smashing

Problem: "COM_FIELD_LIST is an old command of the MySQL server, before there was real move to only SQL. Seems that the data sent to COM_FIELD_LIST( mysql_list_fields() function) is not checked for sanity. By sending long data for the table a buffer is overflown, which can be used deliberately to include code that harms". Fix: check incoming data length.
author: Ramil Kalimullin <ramil@mysql.com> 2010-04-29 08:42:32 +0400
committer: Ramil Kalimullin <ramil@mysql.com> 2010-04-29 08:42:32 +0400
commit: 933e5ca5f0628c081484c5bc976c37db0cfbc94a (patch)
tree: 0245757c04be4818a686cab6bdc56dc75e53a508
parent: 1a1fd04d840e89919209373e08e38ecd85e4864d (diff)
download: mariadb-git-933e5ca5f0628c081484c5bc976c37db0cfbc94a.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index 64d6888d772..f1fb3d646b5 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -2025,8 +2025,16 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
     if (thd->copy_db_to(&table_list.db, &table_list.db_length))
       break;
     pend= strend(packet);
+    uint arg_length= pend - packet;
+    
+    /* Check given table name length. */
+    if (arg_length >= packet_length || arg_length > NAME_LEN)
+    {
+      my_message(ER_UNKNOWN_COM_ERROR, ER(ER_UNKNOWN_COM_ERROR), MYF(0));
+      break;
+    }
     thd->convert_string(&conv_name, system_charset_info,
-			packet, (uint) (pend-packet), thd->charset());
+			packet, arg_length, thd->charset());
     table_list.alias= table_list.table_name= conv_name.str;
     packet= pend+1;
author	Ramil Kalimullin <ramil@mysql.com>	2010-04-29 08:42:32 +0400
committer	Ramil Kalimullin <ramil@mysql.com>	2010-04-29 08:42:32 +0400
commit	933e5ca5f0628c081484c5bc976c37db0cfbc94a (patch)
tree	0245757c04be4818a686cab6bdc56dc75e53a508
parent	1a1fd04d840e89919209373e08e38ecd85e4864d (diff)
download	mariadb-git-933e5ca5f0628c081484c5bc976c37db0cfbc94a.tar.gz