diff options
| author | Davi Arnaut <Davi.Arnaut@Sun.COM> | 2009-12-17 15:58:38 -0200 |
|---|---|---|
| committer | Davi Arnaut <Davi.Arnaut@Sun.COM> | 2009-12-17 15:58:38 -0200 |
| commit | 06a1df91813ea2c39f7312bcf8af972c7e8a926f (patch) | |
| tree | dac324abc82ad6d66e71348f8270ff42658c84a9 /sql | |
| parent | 522c084631ad581ec8f17b187a689f9b992ca06e (diff) | |
| download | mariadb-git-06a1df91813ea2c39f7312bcf8af972c7e8a926f.tar.gz | |
Bug#48983: Bad strmake calls (length one too long)
The problem is a somewhat common misusage of the strmake function.
The strmake(dst, src, len) function writes at most /len/ bytes to
the string pointed to by src, not including the trailing null byte.
Hence, if /len/ is the exact length of the destination buffer, a
one byte buffer overflow can occur if the length of the source
string is equal to or greater than /len/.
client/mysqldump.c:
Make room for the trailing null byte.
libmysql/libmysql.c:
Add comment, there is enough room in the buffer.
Increase buffer length, two strings are concatenated.
libmysqld/lib_sql.cc:
Make room for the trailing null byte.
mysys/default.c:
Make room for the trailing null bytes.
mysys/mf_pack.c:
Make room for the trailing null byte.
server-tools/instance-manager/commands.cc:
Copy only if overflow isn't possible in both cases.
server-tools/instance-manager/listener.cc:
Make room for the trailing null byte.
sql/log.cc:
Make room for the trailing null byte.
sql/sp_pcontext.h:
Cosmetic fix.
sql/sql_acl.cc:
MAX_HOSTNAME already specifies space for the trailing null byte.
sql/sql_parse.cc:
Make room for the trailing null byte.
sql/sql_table.cc:
Make room for the trailing null byte.
Diffstat (limited to 'sql')
| -rw-r--r-- | sql/log.cc | 8 | ||||
| -rw-r--r-- | sql/sp_pcontext.h | 2 | ||||
| -rw-r--r-- | sql/sql_acl.cc | 4 | ||||
| -rw-r--r-- | sql/sql_parse.cc | 2 | ||||
| -rw-r--r-- | sql/sql_table.cc | 2 |
5 files changed, 9 insertions, 9 deletions
diff --git a/sql/log.cc b/sql/log.cc index c042651216c..4aeab534b23 100644 --- a/sql/log.cc +++ b/sql/log.cc @@ -501,7 +501,7 @@ const char *MYSQL_LOG::generate_name(const char *log_name, { char *p = fn_ext(log_name); uint length=(uint) (p-log_name); - strmake(buff,log_name,min(length,FN_REFLEN)); + strmake(buff, log_name, min(length, FN_REFLEN-1)); return (const char*)buff; } return log_name; @@ -1503,7 +1503,7 @@ int MYSQL_LOG::purge_logs_before_date(time_t purge_time) if (stat_area.st_mtime < purge_time) strmake(to_log, log_info.log_file_name, - sizeof(log_info.log_file_name)); + sizeof(log_info.log_file_name) - 1); else break; } @@ -2604,11 +2604,11 @@ bool flush_error_log() if (opt_error_log) { char err_renamed[FN_REFLEN], *end; - end= strmake(err_renamed,log_error_file,FN_REFLEN-4); + end= strmake(err_renamed,log_error_file,FN_REFLEN-5); strmov(end, "-old"); VOID(pthread_mutex_lock(&LOCK_error_log)); #ifdef __WIN__ - char err_temp[FN_REFLEN+4]; + char err_temp[FN_REFLEN+5]; /* On Windows is necessary a temporary file for to rename the current error file. diff --git a/sql/sp_pcontext.h b/sql/sp_pcontext.h index db8bed349f2..cd3011b2c37 100644 --- a/sql/sp_pcontext.h +++ b/sql/sp_pcontext.h @@ -71,7 +71,7 @@ typedef struct sp_label typedef struct sp_cond_type { enum { number, state, warning, notfound, exception } type; - char sqlstate[6]; + char sqlstate[SQLSTATE_LENGTH+1]; uint mysqlerr; } sp_cond_type_t; diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index f29baad9a84..bf117874552 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -914,7 +914,7 @@ int acl_getroot(THD *thd, USER_RESOURCES *mqh, *mqh= acl_user->user_resource; if (acl_user->host.hostname) - strmake(sctx->priv_host, acl_user->host.hostname, MAX_HOSTNAME); + strmake(sctx->priv_host, acl_user->host.hostname, MAX_HOSTNAME - 1); else *sctx->priv_host= 0; } @@ -1015,7 +1015,7 @@ bool acl_getroot_no_password(Security_context *sctx, char *user, char *host, sctx->priv_user= acl_user->user ? user : (char *) ""; if (acl_user->host.hostname) - strmake(sctx->priv_host, acl_user->host.hostname, MAX_HOSTNAME); + strmake(sctx->priv_host, acl_user->host.hostname, MAX_HOSTNAME - 1); else *sctx->priv_host= 0; } diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index f34aa3c3bad..48df40f2614 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -917,7 +917,7 @@ static int check_connection(THD *thd) vio_keepalive(net->vio, TRUE); { /* buff[] needs to big enough to hold the server_version variable */ - char buff[SERVER_VERSION_LENGTH + SCRAMBLE_LENGTH + 64]; + char buff[SERVER_VERSION_LENGTH + 1 + SCRAMBLE_LENGTH + 1 + 64]; ulong client_flags = (CLIENT_LONG_FLAG | CLIENT_CONNECT_WITH_DB | CLIENT_PROTOCOL_41 | CLIENT_SECURE_CONNECTION); diff --git a/sql/sql_table.cc b/sql/sql_table.cc index e32c17bc678..9432c5c3f89 100644 --- a/sql/sql_table.cc +++ b/sql/sql_table.cc @@ -742,7 +742,7 @@ static int mysql_prepare_table(THD *thd, HA_CREATE_INFO *create_info, !(sql_field->charset= get_charset_by_csname(sql_field->charset->csname, MY_CS_BINSORT,MYF(0)))) { - char tmp[64]; + char tmp[65]; strmake(strmake(tmp, save_cs->csname, sizeof(tmp)-4), STRING_WITH_LEN("_bin")); my_error(ER_UNKNOWN_COLLATION, MYF(0), tmp); |