fix potential security hole, pointed out by Sergei. Also simplify code per Sergei's suggestion.

sql/ha_federated.cc:
  if the mysql_error(mysql) contained any %-format specifiers, my_snprintf would try to interppret them. Essentially replacing printf(str) with printf("%s", str);
sql/ha_federated.h:
  removed unused remote_error_len variable

1 files changed, 3 insertions, 6 deletions

diff --git a/sql/ha_federated.cc b/sql/ha_federated.cc
index 00516bef5a3..015ad185a24 100644
--- a/sql/ha_federated.cc
+++ b/sql/ha_federated.cc
@@ -2616,10 +2616,8 @@ int ha_federated::stash_remote_error()
   DBUG_ENTER("ha_federated::stash_remote_error()");
   remote_error_number= mysql_errno(mysql);
   const char *remote_error= mysql_error(mysql);
-  remote_error_len= strlen(remote_error);
-  if(remote_error_len > (sizeof(remote_error_buf) - 1))
-    remote_error_len= (sizeof(remote_error_buf) - 1);
-  my_snprintf(remote_error_buf, remote_error_len + 1, remote_error);
+  my_snprintf(remote_error_buf, sizeof(remote_error_buf), "%s",
+              mysql_error(mysql));
   DBUG_RETURN(HA_FEDERATED_ERROR_WITH_REMOTE_SYSTEM);
 }
 
@@ -2633,11 +2631,10 @@ bool ha_federated::get_error_message(int error, String* buf)
     buf->append("Error on remote system: ");
     buf->qs_append(remote_error_number);
     buf->append(": ");
-    buf->append(remote_error_buf, remote_error_len);
+    buf->append(remote_error_buf);
 
     remote_error_number= 0;
     remote_error_buf[0]= '\0';
-    remote_error_len= 0;
   }
   DBUG_PRINT("exit", ("message: %s", buf->ptr()));
   DBUG_RETURN(FALSE);