Fix for BUG#16899: Possible buffer overflow in handling of DEFINER-clause

  
User name (host name) has limit on length. The server code relies on these
limits when storing the names. The problem was that sometimes these limits
were not checked properly, so that could lead to buffer overflow.

The fix is to check length of user/host name in parser and if string is too
long, throw an error.

1 files changed, 10 insertions, 8 deletions

diff --git a/sql/sql_yacc.yy b/sql/sql_yacc.yy
index 1dbed6d3cdb..133b6e18fee 100644
--- a/sql/sql_yacc.yy
+++ b/sql/sql_yacc.yy
@@ -7511,6 +7511,9 @@ user:
 	  $$->user = $1;
 	  $$->host.str= (char *) "%";
 	  $$->host.length= 1;
+
+	  if (check_string_length(&$$->user, ER(ER_USERNAME), USERNAME_LENGTH))
+	    YYABORT;
 	}
 	| ident_or_text '@' ident_or_text
 	  {
@@ -7518,6 +7521,11 @@ user:
 	    if (!($$=(LEX_USER*) thd->alloc(sizeof(st_lex_user))))
 	      YYABORT;
 	    $$->user = $1; $$->host=$3;
+
+	    if (check_string_length(&$$->user, ER(ER_USERNAME), USERNAME_LENGTH) ||
+	        check_string_length(&$$->host, ER(ER_HOSTNAME),
+					       HOSTNAME_LENGTH))
+	      YYABORT;
 	  }
 	| CURRENT_USER optional_braces
 	{
@@ -8995,15 +9003,9 @@ definer:
            */
           YYTHD->lex->definer= 0;
 	}
-	| DEFINER_SYM EQ CURRENT_USER optional_braces
+	| DEFINER_SYM EQ user
 	{
-          if (! (YYTHD->lex->definer= create_default_definer(YYTHD)))
-            YYABORT;
-	}
-	| DEFINER_SYM EQ ident_or_text '@' ident_or_text
-	{
-          if (!(YYTHD->lex->definer= create_definer(YYTHD, &$3, &$5)))
-            YYABORT;
+	  YYTHD->lex->definer= get_current_user(YYTHD, $3);
 	}
 	;