diff options
| author | Sujatha Sivakumar <sujatha.sivakumar@oracle.com> | 2014-10-08 10:50:02 +0530 |
|---|---|---|
| committer | Sujatha Sivakumar <sujatha.sivakumar@oracle.com> | 2014-10-08 10:50:02 +0530 |
| commit | 929680913417e6a09330376b9d99f3bf33db7ff3 (patch) | |
| tree | 0bbf2b0d55a5ee1b7647bfdd713511cfa54bd6a6 /mysys | |
| parent | 27938d14bb5a0313f13e99556d051f3df13d4237 (diff) | |
| download | mariadb-git-929680913417e6a09330376b9d99f3bf33db7ff3.tar.gz | |
Bug#19145698: READ OUT OF BOUNDS ISSUE
Problem:
========
In a master slave replication if a slave receives a
Start_log_event_v3 the payload is expected to be of fixed
size. If a payload which is smaller than the fixed size is
received it causes a read out of bounds issue.
Analysis:
========
According to documentation the fixed data part of
Start_log_event_v3 looks as shown below.
2 bytes: The binary log format version
50 bytes: The MySQL server's version
4 bytes: Timestamp in seconds when this event was created
Since the payload is expected to be of fixed size, therefore
ST_SERVER_VER_LEN (50) bytes are memcpy'ed into
server_version. But if a malicious master sends a shorter
payload it causes a read out of bounds issue.
Fix:
===
In Start_log_event_v3 event's constructor a check has been
added which expects the minimum payload length to be of size
common_header_len + ST_COMMON_HEADER_LEN_OFFSET bytes. If a
malicious packet of lesser length is received it will be
considered as an invalid event.
sql/log_event.cc:
Added code changes to check the minimum packet length
of Start_log_event_v3 should be > 56.
sql/log_event.h:
Moved server_version from stack to heap and modified
is_valid function for Start_log_event_v3.
Diffstat (limited to 'mysys')
0 files changed, 0 insertions, 0 deletions