diff options
| author | unknown <cmiller@zippy.(none)> | 2006-05-01 22:10:50 -0400 |
|---|---|---|
| committer | unknown <cmiller@zippy.(none)> | 2006-05-01 22:10:50 -0400 |
| commit | 3010890e589de89d2f5bb4c0e2c3a0b06b827b10 (patch) | |
| tree | e1be3b9af9e1eb4a72abb369924831d5a8129301 /mysys/my_memmem.c | |
| parent | 8eb2b474b335973dcd2a2aa8c1fa5c097d46cc50 (diff) | |
| download | mariadb-git-3010890e589de89d2f5bb4c0e2c3a0b06b827b10.tar.gz | |
SECURITY FIX
Bug#17667: An attacker has the opportunity to bypass query logging.
This adds a new, local-only printf format specifier to our *printf functions
that allows us to print known-size buffers that must not be interpreted as
NUL-terminated "strings."
It uses this format-specifier to print to the log, thus fixing this
problem.
include/my_sys.h:
Add prototype for my_memmem() .
mysys/Makefile.am:
Add reference to new file, my_memmem.c
mysys/mf_iocache2.c:
Add a "%.1234b" and "%.*b" percent-code. It takes a width, just like "%s",
but unlike the string-indicator, it requires the width and doesn't stop printing
at NUL characters.
Also, simplify the code a bit.
TODO: This code should be unified with the strings/my_vnsprintf.c code in
the future.
sql/sql_parse.cc:
The query is not a C-string, but is a sized buffer, containing any character
at all, which may include NUL characters.
strings/my_vsnprintf.c:
Add a "%.1234b" and "%.*b" percent-code. It takes a width, just like "%s",
but unlike the string-indicator, it requires the width and doesn't stop printing
at NUL characters.
tests/Makefile.am:
We may need some of our local functions.
tests/mysql_client_test.c:
Add a "%.1234b" and "%.*b" percent-code. It takes a width, just like "%s",
but unlike the string-indicator, it requires the width and doesn't stop printing
at NUL characters.
mysql-test/t/mysql_client_test.opt:
New BitKeeper file ``mysql-test/t/mysql_client_test.opt''
Add '--log' server parameter.
mysys/my_memmem.c:
New BitKeeper file ``mysys/my_memmem.c''
Implement memmem, a black-box work-alike of the GNU memmem(), which functions
like strstr() but for arbitrary blocks of memory.
Diffstat (limited to 'mysys/my_memmem.c')
| -rw-r--r-- | mysys/my_memmem.c | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/mysys/my_memmem.c b/mysys/my_memmem.c new file mode 100644 index 00000000000..3a71d39c262 --- /dev/null +++ b/mysys/my_memmem.c @@ -0,0 +1,65 @@ +#include "my_base.h" + +/* + my_memmem, port of a GNU extension. + + Returns a pointer to the beginning of the substring, needle, or NULL if the + substring is not found in haystack. +*/ +void *my_memmem(const void *haystack, size_t haystacklen, + const void *needle, size_t needlelen) +{ + const void *cursor; + const void *last_possible_needle_location = haystack + haystacklen - needlelen; + + /* Easy answers */ + if (needlelen > haystacklen) return(NULL); + if (needle == NULL) return(NULL); + if (haystack == NULL) return(NULL); + if (needlelen == 0) return(NULL); + if (haystacklen == 0) return(NULL); + + for (cursor = haystack; cursor <= last_possible_needle_location; cursor++) { + if (memcmp(needle, cursor, needlelen) == 0) { + return((void *) cursor); + } + } + return(NULL); +} + + + +#ifdef MAIN +#include <assert.h> + +int main(int argc, char *argv[]) { + char haystack[10], needle[3]; + + memmove(haystack, "0123456789", 10); + + memmove(needle, "no", 2); + assert(my_memmem(haystack, 10, needle, 2) == NULL); + + memmove(needle, "345", 3); + assert(my_memmem(haystack, 10, needle, 3) != NULL); + + memmove(needle, "789", 3); + assert(my_memmem(haystack, 10, needle, 3) != NULL); + assert(my_memmem(haystack, 9, needle, 3) == NULL); + + memmove(needle, "012", 3); + assert(my_memmem(haystack, 10, needle, 3) != NULL); + assert(my_memmem(NULL, 10, needle, 3) == NULL); + + assert(my_memmem(NULL, 10, needle, 3) == NULL); + assert(my_memmem(haystack, 0, needle, 3) == NULL); + assert(my_memmem(haystack, 10, NULL, 3) == NULL); + assert(my_memmem(haystack, 10, needle, 0) == NULL); + + assert(my_memmem(haystack, 1, needle, 3) == NULL); + + printf("success\n"); + return(0); +} + +#endif |