Fix for BUG#16899: Possible buffer overflow in handling of DEFINER-clause

  
User name (host name) has limit on length. The server code relies on these
limits when storing the names. The problem was that sometimes these limits
were not checked properly, so that could lead to buffer overflow.

The fix is to check length of user/host name in parser and if string is too
long, throw an error.


mysql-test/r/grant.result:
  Updated result file.
mysql-test/r/sp.result:
  Updated result file.
mysql-test/r/trigger.result:
  Updated result file.
mysql-test/r/view.result:
  Updated result file.
mysql-test/t/grant.test:
  Added test for BUG#16899.
mysql-test/t/sp.test:
  Added test for BUG#16899.
mysql-test/t/trigger.test:
  Added test for BUG#16899.
mysql-test/t/view.test:
  Added test for BUG#16899.
sql/mysql_priv.h:
  Added prototype for new function.
sql/share/errmsg.txt:
  Added new resources.
sql/sql_acl.cc:
  Remove outdated checks.
sql/sql_parse.cc:
  Add a new function for checking string length.
sql/sql_yacc.yy:
  Check length of user/host name.

1 files changed, 0 insertions, 33 deletions

diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index ae5ea210a47..0c7b8626c93 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -2900,14 +2900,6 @@ bool mysql_table_grant(THD *thd, TABLE_LIST *table_list,
       result= TRUE;
       continue;
     }  
-    if (Str->host.length > HOSTNAME_LENGTH ||
-	Str->user.length > USERNAME_LENGTH)
-    {
-      my_message(ER_GRANT_WRONG_HOST_OR_USER, ER(ER_GRANT_WRONG_HOST_OR_USER),
-                 MYF(0));
-      result= TRUE;
-      continue;
-    }
     /* Create user if needed */
     error=replace_user_table(thd, tables[0].table, *Str,
 			     0, revoke_grant, create_new_users,
@@ -3112,15 +3104,6 @@ bool mysql_routine_grant(THD *thd, TABLE_LIST *table_list, bool is_proc,
       result= TRUE;
       continue;
     }  
-    if (Str->host.length > HOSTNAME_LENGTH ||
-	Str->user.length > USERNAME_LENGTH)
-    {
-      if (!no_error)
-	my_message(ER_GRANT_WRONG_HOST_OR_USER, ER(ER_GRANT_WRONG_HOST_OR_USER),
-                   MYF(0));
-      result= TRUE;
-      continue;
-    }
     /* Create user if needed */
     error=replace_user_table(thd, tables[0].table, *Str,
 			     0, revoke_grant, create_new_users,
@@ -3246,14 +3229,6 @@ bool mysql_grant(THD *thd, const char *db, List <LEX_USER> &list,
       result= TRUE;
       continue;
     }  
-    if (Str->host.length > HOSTNAME_LENGTH ||
-	Str->user.length > USERNAME_LENGTH)
-    {
-      my_message(ER_GRANT_WRONG_HOST_OR_USER, ER(ER_GRANT_WRONG_HOST_OR_USER),
-                 MYF(0));
-      result= -1;
-      continue;
-    }
     if (replace_user_table(thd, tables[0].table, *Str,
                            (!db ? rights : 0), revoke_grant, create_new_users,
                            test(thd->variables.sql_mode &
@@ -4144,14 +4119,6 @@ bool mysql_show_grants(THD *thd,LEX_USER *lex_user)
     DBUG_RETURN(TRUE);
   }
 
-  if (lex_user->host.length > HOSTNAME_LENGTH ||
-      lex_user->user.length > USERNAME_LENGTH)
-  {
-    my_message(ER_GRANT_WRONG_HOST_OR_USER, ER(ER_GRANT_WRONG_HOST_OR_USER),
-               MYF(0));
-    DBUG_RETURN(TRUE);
-  }
-
   rw_rdlock(&LOCK_grant);
   VOID(pthread_mutex_lock(&acl_cache->lock));