diff options
author | Marcin Babij <marcin.babij@oracle.com> | 2014-07-02 10:45:22 +0200 |
---|---|---|
committer | Marcin Babij <marcin.babij@oracle.com> | 2014-07-02 10:45:22 +0200 |
commit | a69ab08b0b30a9c49047257f3eaf51dc0f041c06 (patch) | |
tree | f6f4a1be9d689085631efa0548f37f1011cfb2d3 /client | |
parent | 8ba44294b85aa6ec4eb763d89ad10c9b3c25a1ce (diff) | |
download | mariadb-git-a69ab08b0b30a9c49047257f3eaf51dc0f041c06.tar.gz |
BUG#18779944: MYSQLDUMP BUFFER OVERFLOW
Mysqldump overflows stack buffer when copying table name from commandline arguments resulting in stack corruption and ability to execute arbitrary code.
Fix: Check length of all positional arguments passed to mysqldump is smaller than NAME_LEN.
Note: Mysqldump heavily depends on that database objects (databases, tablespaces, tables, etc) are limited to small size (now it is 64).
Diffstat (limited to 'client')
-rw-r--r-- | client/mysqldump.c | 39 |
1 files changed, 28 insertions, 11 deletions
diff --git a/client/mysqldump.c b/client/mysqldump.c index c19b0b1822a..2a873903d60 100644 --- a/client/mysqldump.c +++ b/client/mysqldump.c @@ -5538,19 +5538,36 @@ int main(int argc, char **argv) dump_all_tablespaces(); dump_all_databases(); } - else if (argc > 1 && !opt_databases) - { - /* Only one database and selected table(s) */ - if (!opt_alltspcs && !opt_notspcs) - dump_tablespaces_for_tables(*argv, (argv + 1), (argc -1)); - dump_selected_tables(*argv, (argv + 1), (argc - 1)); - } else { - /* One or more databases, all tables */ - if (!opt_alltspcs && !opt_notspcs) - dump_tablespaces_for_databases(argv); - dump_databases(argv); + // Check all arguments meet length condition. Currently database and table + // names are limited to NAME_LEN bytes and stack-based buffers assumes + // that escaped name will be not longer than NAME_LEN*2 + 2 bytes long. + int argument; + for (argument= 0; argument < argc; argument++) + { + size_t argument_length= strlen(argv[argument]); + if (argument_length > NAME_LEN) + { + die(EX_CONSCHECK, "[ERROR] Argument '%s' is too long, it cannot be " + "name for any table or database.\n", argv[argument]); + } + } + + if (argc > 1 && !opt_databases) + { + /* Only one database and selected table(s) */ + if (!opt_alltspcs && !opt_notspcs) + dump_tablespaces_for_tables(*argv, (argv + 1), (argc - 1)); + dump_selected_tables(*argv, (argv + 1), (argc - 1)); + } + else + { + /* One or more databases, all tables */ + if (!opt_alltspcs && !opt_notspcs) + dump_tablespaces_for_databases(argv); + dump_databases(argv); + } } /* if --dump-slave , start the slave sql thread */ |