summaryrefslogtreecommitdiff
path: root/sql/time.cc
diff options
context:
space:
mode:
authorVenkata Sidagam <venkata.sidagam@oracle.com>2013-10-16 14:14:44 +0530
committerVenkata Sidagam <venkata.sidagam@oracle.com>2013-10-16 14:14:44 +0530
commitde0e8a02d18b4593e11b282b7c8641603b7cbfe9 (patch)
treeaf13313bb13a0ad881bb6d87d380f2471f867958 /sql/time.cc
parent3399194cefc7fcffcba4c304bbb3badec1afc21e (diff)
downloadmariadb-git-de0e8a02d18b4593e11b282b7c8641603b7cbfe9.tar.gz
Bug#16900358 FIX FOR CVE-2012-5611 IS INCOMPLETE
Description: Fix for bug CVE-2012-5611 (bug 67685) is incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and check_grant_db() can be overflown by up to two bytes. That's probably not enough to do anything more serious than crashing mysqld. Analysis: In acl_get() when "copy_length" is calculated it just adding the variable lengths. But when we are using them with strmov() we are adding +1 to each. This will lead to a three byte buffer overflow (i.e two +1's at strmov() and one byte for the null added by strmov() function). Similarly it happens for check_grant_db() function as well. Fix: We need to add "+2" to "copy_length" in acl_get() and "+1" to "copy_length" in check_grant_db().
Diffstat (limited to 'sql/time.cc')
0 files changed, 0 insertions, 0 deletions