diff options
author | unknown <serg@sergbook.mysql.com> | 2006-04-25 14:06:04 -0700 |
---|---|---|
committer | unknown <serg@sergbook.mysql.com> | 2006-04-25 14:06:04 -0700 |
commit | e262aaa8853d291455b0c7c50b52b6346a9b3525 (patch) | |
tree | b372074f6db07591e4bde58f14cb64049aa76cbc /sql | |
parent | f9216cdf8d40c0552382fd0788d03dc20db2d94c (diff) | |
parent | b3a7131896e5deedcc843e8130e1d9da71cacc01 (diff) | |
download | mariadb-git-e262aaa8853d291455b0c7c50b52b6346a9b3525.tar.gz |
merged
Diffstat (limited to 'sql')
-rw-r--r-- | sql/sql_parse.cc | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index e25a428aaa7..3fc71351d74 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -906,13 +906,20 @@ static int check_connection(THD *thd) *passwd++ : strlen(passwd); db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ? db + passwd_len + 1 : 0; + uint db_len= db ? strlen(db) : 0; + + if (passwd + passwd_len + db_len > net->read_pos + pkt_len) + { + inc_host_errors(&thd->remote.sin_addr); + return ER_HANDSHAKE_ERROR; + } /* Since 4.1 all database names are stored in utf8 */ if (db) { db_buff[copy_and_convert(db_buff, sizeof(db_buff)-1, system_charset_info, - db, strlen(db), + db, db_len, thd->charset(), &dummy_errors)]= 0; db= db_buff; } @@ -1379,7 +1386,17 @@ bool dispatch_command(enum enum_server_command command, THD *thd, { char *db, *tbl_name; uint db_len= *(uchar*) packet; + if (db_len >= packet_length || db_len > NAME_LEN) + { + send_error(&thd->net, ER_UNKNOWN_COM_ERROR); + break; + } uint tbl_len= *(uchar*) (packet + db_len + 1); + if (db_len+tbl_len+2 > packet_length || tbl_len > NAME_LEN) + { + send_error(&thd->net, ER_UNKNOWN_COM_ERROR); + break; + } statistic_increment(com_other, &LOCK_status); thd->enable_slow_log= opt_log_slow_admin_statements; |