diff options
| author | Harin Vadodaria <harin.vadodaria@oracle.com> | 2012-12-06 17:02:09 +0530 |
|---|---|---|
| committer | Harin Vadodaria <harin.vadodaria@oracle.com> | 2012-12-06 17:02:09 +0530 |
| commit | d8876ff2fb2fac75a23678bd5b251780c66756a1 (patch) | |
| tree | 22ceb946a87670340c33730ddc7375adeb437b6a /sql/sql_acl.cc | |
| parent | e5424d196b9c392b71fc1b2c8dcf67f610f6a746 (diff) | |
| download | mariadb-git-d8876ff2fb2fac75a23678bd5b251780c66756a1.tar.gz | |
Bug#15912213: BUFFER OVERFLOW IN ACL_GET()
Description: A very large database name causes buffer
overflow in functions acl_get() and
check_grant_db() in sql_acl.cc. It happens
due to an unguarded string copy operation.
This puts required sanity checks before
copying db string to destination buffer.
Diffstat (limited to 'sql/sql_acl.cc')
| -rw-r--r-- | sql/sql_acl.cc | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index d99ca3ceb99..fdd9b107bf2 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -1581,11 +1581,20 @@ ulong acl_get(const char *host, const char *ip, { ulong host_access= ~(ulong)0, db_access= 0; uint i; - size_t key_length; + size_t key_length, copy_length; char key[ACL_KEY_LENGTH],*tmp_db,*end; acl_entry *entry; DBUG_ENTER("acl_get"); + copy_length= (size_t) (strlen(ip ? ip : "") + + strlen(user ? user : "") + + strlen(db ? db : "")); + /* + Make sure that strmov() operations do not result in buffer overflow. + */ + if (copy_length >= ACL_KEY_LENGTH) + DBUG_RETURN(0); + mysql_mutex_lock(&acl_cache->lock); end=strmov((tmp_db=strmov(strmov(key, ip ? ip : "")+1,user)+1),db); if (lower_case_table_names) @@ -4942,6 +4951,16 @@ bool check_grant_db(THD *thd,const char *db) char helping [NAME_LEN+USERNAME_LENGTH+2]; uint len; bool error= TRUE; + size_t copy_length; + + copy_length= (size_t) (strlen(sctx->priv_user ? sctx->priv_user : "") + + strlen(db ? db : "")); + + /* + Make sure that strmov() operations do not result in buffer overflow. + */ + if (copy_length >= (NAME_LEN+USERNAME_LENGTH+2)) + return 1; len= (uint) (strmov(strmov(helping, sctx->priv_user) + 1, db) - helping) + 1; |