diff options
| author | Davi Arnaut <Davi.Arnaut@Sun.COM> | 2009-12-17 15:58:38 -0200 |
|---|---|---|
| committer | Davi Arnaut <Davi.Arnaut@Sun.COM> | 2009-12-17 15:58:38 -0200 |
| commit | 06a1df91813ea2c39f7312bcf8af972c7e8a926f (patch) | |
| tree | dac324abc82ad6d66e71348f8270ff42658c84a9 /libmysql/libmysql.c | |
| parent | 522c084631ad581ec8f17b187a689f9b992ca06e (diff) | |
| download | mariadb-git-06a1df91813ea2c39f7312bcf8af972c7e8a926f.tar.gz | |
Bug#48983: Bad strmake calls (length one too long)
The problem is a somewhat common misusage of the strmake function.
The strmake(dst, src, len) function writes at most /len/ bytes to
the string pointed to by src, not including the trailing null byte.
Hence, if /len/ is the exact length of the destination buffer, a
one byte buffer overflow can occur if the length of the source
string is equal to or greater than /len/.
client/mysqldump.c:
Make room for the trailing null byte.
libmysql/libmysql.c:
Add comment, there is enough room in the buffer.
Increase buffer length, two strings are concatenated.
libmysqld/lib_sql.cc:
Make room for the trailing null byte.
mysys/default.c:
Make room for the trailing null bytes.
mysys/mf_pack.c:
Make room for the trailing null byte.
server-tools/instance-manager/commands.cc:
Copy only if overflow isn't possible in both cases.
server-tools/instance-manager/listener.cc:
Make room for the trailing null byte.
sql/log.cc:
Make room for the trailing null byte.
sql/sp_pcontext.h:
Cosmetic fix.
sql/sql_acl.cc:
MAX_HOSTNAME already specifies space for the trailing null byte.
sql/sql_parse.cc:
Make room for the trailing null byte.
sql/sql_table.cc:
Make room for the trailing null byte.
Diffstat (limited to 'libmysql/libmysql.c')
| -rw-r--r-- | libmysql/libmysql.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/libmysql/libmysql.c b/libmysql/libmysql.c index d287679bebb..62feae1b56e 100644 --- a/libmysql/libmysql.c +++ b/libmysql/libmysql.c @@ -712,7 +712,10 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user, if (!passwd) passwd=""; - /* Store user into the buffer */ + /* + Store user into the buffer. + Advance position as strmake returns a pointer to the closing NUL. + */ end= strmake(end, user, USERNAME_LENGTH) + 1; /* write scrambled password according to server capabilities */ @@ -1252,7 +1255,7 @@ mysql_list_fields(MYSQL *mysql, const char *table, const char *wild) { MYSQL_RES *result; MYSQL_FIELD *fields; - char buff[257],*end; + char buff[258],*end; DBUG_ENTER("mysql_list_fields"); DBUG_PRINT("enter",("table: '%s' wild: '%s'",table,wild ? wild : "")); |