diff options
| author | Nisha Gopalakrishnan <nisha.gopalakrishnan@oracle.com> | 2014-04-24 09:30:21 +0530 |
|---|---|---|
| committer | Nisha Gopalakrishnan <nisha.gopalakrishnan@oracle.com> | 2014-04-24 09:30:21 +0530 |
| commit | 56cf9d2db4de4caa3a46e7f0dc421693dc0b56e3 (patch) | |
| tree | 61c49e35855f044c9d61edc9b90ee4526a0cf3fa /libmysql | |
| parent | c006e3f27a840e46a3b187aa47ed9bdd68bab3a4 (diff) | |
| download | mariadb-git-56cf9d2db4de4caa3a46e7f0dc421693dc0b56e3.tar.gz | |
BUG#18080920: CRASH; MY_REALLOC_STR DEREFERENCES NEGATIVE VALUE
INTO CLIENT_ERRORS ARRAY
Analysis:
--------
The client may crash while executing a statement due to
the missing mapping of the server error to it's equivalent
client error.
When trying to reallocate memory for the packet buffer, if
the system is out of memory or the packet buffer is large,
the server errors 'ER_OUT_OF_RESOURCES' or 'ER_PACKET_TOO_LARGE'
is returned respectively. The client error number calculated is
negative and when trying to dereference the array of client
error messages with the calculated error number, the client
crashes.
Fix:
----
Map the server error returned to it's equivalent client error
prior to dereferencing the array of client error messages.
Note: Test case is not added since it is difficult to simulate
the error condition.
Diffstat (limited to 'libmysql')
| -rw-r--r-- | libmysql/errmsg.c | 4 | ||||
| -rw-r--r-- | libmysql/libmysql.c | 6 |
2 files changed, 8 insertions, 2 deletions
diff --git a/libmysql/errmsg.c b/libmysql/errmsg.c index 498ba6e9829..81d2728534a 100644 --- a/libmysql/errmsg.c +++ b/libmysql/errmsg.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -105,6 +105,8 @@ const char** get_client_errmsgs() void init_client_errs(void) { + compile_time_assert(array_elements(client_errors) == + (CR_ERROR_LAST - CR_ERROR_FIRST + 2)); (void) my_error_register(get_client_errmsgs, CR_ERROR_FIRST, CR_ERROR_LAST); } diff --git a/libmysql/libmysql.c b/libmysql/libmysql.c index d6bdea3df1f..6e7134ff97c 100644 --- a/libmysql/libmysql.c +++ b/libmysql/libmysql.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -1316,6 +1316,10 @@ static my_bool my_realloc_str(NET *net, ulong length) res= net_realloc(net, buf_length + length); if (res) { + if (net->last_errno == ER_OUT_OF_RESOURCES) + net->last_errno= CR_OUT_OF_MEMORY; + else if (net->last_errno == ER_NET_PACKET_TOO_LARGE) + net->last_errno= CR_NET_PACKET_TOO_LARGE; strmov(net->sqlstate, unknown_sqlstate); strmov(net->last_error, ER(net->last_errno)); } |