diff options
| author | Dmitry Lenev <Dmitry.Lenev@oracle.com> | 2012-12-11 22:04:30 +0400 |
|---|---|---|
| committer | Dmitry Lenev <Dmitry.Lenev@oracle.com> | 2012-12-11 22:04:30 +0400 |
| commit | 4235e46ea2973d82994f28d47cad95a12d77685d (patch) | |
| tree | a1e388eba6be5e74da9c6a45774476e52bcf879e /sql/sql_base.h | |
| parent | 897f497f74961e64a729b97c2d4475cebf4612b0 (diff) | |
| parent | 2e10e7c38eb6ccef3319f3fc5267224c171628da (diff) | |
| download | mariadb-git-4235e46ea2973d82994f28d47cad95a12d77685d.tar.gz | |
Bug #15954872 "MAKE MDL SUBSYSTEM AND TABLE DEFINITION CACHE
ROBUST AGAINST BUGS IN CALLERS".
Both MDL subsystems and Table Definition Cache code assume
that callers ensure that names of objects passed to them are
not longer than NAME_LEN bytes. Unfortunately due to bugs in
callers this assumption might be broken in some cases. As
result we get nasty bugs causing buffer overruns when we
construct MDL key or TDC key from object names.
This patch makes MDL and TDC code more robust against such
bugs by ensuring that we always checking size of result
buffer when constructing MDL and TDC keys. This doesn't
free its callers from ensuring that both db and table names
are shorter than NAME_LEN bytes. But at least these steps
prevents buffer overruns in case of bug in caller, replacing
them with less harmful behavior.
This is 5.5-only version of patch.
Changed code of MDL_key::mdl_key_init() to take into account
size of buffer for the key.
Introduced new version of create_table_def_key() helper function
which constructs TDC key without risk of result buffer overrun.
Places in code that construct TDC keys were changed to use this
function.
Also changed rm_temporary_table() and open_new_frm() functions
to avoid use of "unsafe" strmov() and strxmov() functions and
use safer strnxmov() instead.
Diffstat (limited to 'sql/sql_base.h')
| -rw-r--r-- | sql/sql_base.h | 27 |
1 files changed, 26 insertions, 1 deletions
diff --git a/sql/sql_base.h b/sql/sql_base.h index dc8320687fc..96ca569dd1f 100644 --- a/sql/sql_base.h +++ b/sql/sql_base.h @@ -81,6 +81,31 @@ uint cached_table_definitions(void); uint create_table_def_key(THD *thd, char *key, const TABLE_LIST *table_list, bool tmp_table); + +/** + Create a table cache key for non-temporary table. + + @param key Buffer for key (must be at least NAME_LEN*2+2 bytes). + @param db Database name. + @param table_name Table name. + + @return Length of key. + + @sa create_table_def_key(thd, char *, table_list, bool) +*/ + +inline uint +create_table_def_key(char *key, const char *db, const char *table_name) +{ + /* + In theory caller should ensure that both db and table_name are + not longer than NAME_LEN bytes. In practice we play safe to avoid + buffer overruns. + */ + return (uint)(strmake(strmake(key, db, NAME_LEN) + 1, table_name, + NAME_LEN) - key + 1); +} + TABLE_SHARE *get_table_share(THD *thd, TABLE_LIST *table_list, char *key, uint key_length, uint db_flags, int *error, my_hash_value_type hash_value); @@ -157,7 +182,7 @@ thr_lock_type read_lock_type_for_table(THD *thd, TABLE_LIST *table_list); my_bool mysql_rm_tmp_tables(void); -bool rm_temporary_table(handlerton *base, char *path); +bool rm_temporary_table(handlerton *base, const char *path); void close_tables_for_reopen(THD *thd, TABLE_LIST **tables, const MDL_savepoint &start_of_statement_svp); TABLE_LIST *find_table_in_list(TABLE_LIST *table, |