Bug#48983: Bad strmake calls (length one too long)

The problem is a somewhat common misusage of the strmake function. The strmake(dst, src, len) function writes at most /len/ bytes to the string pointed to by src, not including the trailing null byte. Hence, if /len/ is the exact length of the destination buffer, a one byte buffer overflow can occur if the length of the source string is equal to or greater than /len/.
author: Davi Arnaut <Davi.Arnaut@Sun.COM> 2009-12-17 15:58:38 -0200
committer: Davi Arnaut <Davi.Arnaut@Sun.COM> 2009-12-17 15:58:38 -0200
commit: b9380f0e76b34af223c4ef0b4fe648ddca47a59c (patch)
tree: dac324abc82ad6d66e71348f8270ff42658c84a9 /sql/sql_parse.cc
parent: 0f7397908466421a857fd1718766c41ef7648c9b (diff)
download: mariadb-git-b9380f0e76b34af223c4ef0b4fe648ddca47a59c.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index f34aa3c3bad..48df40f2614 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -917,7 +917,7 @@ static int check_connection(THD *thd)
   vio_keepalive(net->vio, TRUE);
   {
     /* buff[] needs to big enough to hold the server_version variable */
-    char buff[SERVER_VERSION_LENGTH + SCRAMBLE_LENGTH + 64];
+    char buff[SERVER_VERSION_LENGTH + 1 + SCRAMBLE_LENGTH + 1 + 64];
     ulong client_flags = (CLIENT_LONG_FLAG | CLIENT_CONNECT_WITH_DB |
 			  CLIENT_PROTOCOL_41 | CLIENT_SECURE_CONNECTION);
author	Davi Arnaut <Davi.Arnaut@Sun.COM>	2009-12-17 15:58:38 -0200
committer	Davi Arnaut <Davi.Arnaut@Sun.COM>	2009-12-17 15:58:38 -0200
commit	b9380f0e76b34af223c4ef0b4fe648ddca47a59c (patch)
tree	dac324abc82ad6d66e71348f8270ff42658c84a9 /sql/sql_parse.cc
parent	0f7397908466421a857fd1718766c41ef7648c9b (diff)
download	mariadb-git-b9380f0e76b34af223c4ef0b4fe648ddca47a59c.tar.gz