summaryrefslogtreecommitdiff
path: root/sql
diff options
context:
space:
mode:
authorunknown <serg@sergbook.mysql.com>2006-04-25 14:06:04 -0700
committerunknown <serg@sergbook.mysql.com>2006-04-25 14:06:04 -0700
commite262aaa8853d291455b0c7c50b52b6346a9b3525 (patch)
treeb372074f6db07591e4bde58f14cb64049aa76cbc /sql
parentf9216cdf8d40c0552382fd0788d03dc20db2d94c (diff)
parentb3a7131896e5deedcc843e8130e1d9da71cacc01 (diff)
downloadmariadb-git-e262aaa8853d291455b0c7c50b52b6346a9b3525.tar.gz
merged
Diffstat (limited to 'sql')
-rw-r--r--sql/sql_parse.cc19
1 files changed, 18 insertions, 1 deletions
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index e25a428aaa7..3fc71351d74 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -906,13 +906,20 @@ static int check_connection(THD *thd)
*passwd++ : strlen(passwd);
db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
db + passwd_len + 1 : 0;
+ uint db_len= db ? strlen(db) : 0;
+
+ if (passwd + passwd_len + db_len > net->read_pos + pkt_len)
+ {
+ inc_host_errors(&thd->remote.sin_addr);
+ return ER_HANDSHAKE_ERROR;
+ }
/* Since 4.1 all database names are stored in utf8 */
if (db)
{
db_buff[copy_and_convert(db_buff, sizeof(db_buff)-1,
system_charset_info,
- db, strlen(db),
+ db, db_len,
thd->charset(), &dummy_errors)]= 0;
db= db_buff;
}
@@ -1379,7 +1386,17 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
{
char *db, *tbl_name;
uint db_len= *(uchar*) packet;
+ if (db_len >= packet_length || db_len > NAME_LEN)
+ {
+ send_error(&thd->net, ER_UNKNOWN_COM_ERROR);
+ break;
+ }
uint tbl_len= *(uchar*) (packet + db_len + 1);
+ if (db_len+tbl_len+2 > packet_length || tbl_len > NAME_LEN)
+ {
+ send_error(&thd->net, ER_UNKNOWN_COM_ERROR);
+ break;
+ }
statistic_increment(com_other, &LOCK_status);
thd->enable_slow_log= opt_log_slow_admin_statements;