diff options
| author | unknown <cmiller@zippy.(none)> | 2006-05-01 22:10:50 -0400 |
|---|---|---|
| committer | unknown <cmiller@zippy.(none)> | 2006-05-01 22:10:50 -0400 |
| commit | f57754d78389df639806847879ecfaa6e9253af9 (patch) | |
| tree | e1be3b9af9e1eb4a72abb369924831d5a8129301 /strings | |
| parent | 7030ae6b7efd95ef65a02224a810d67a900d3220 (diff) | |
| download | mariadb-git-f57754d78389df639806847879ecfaa6e9253af9.tar.gz | |
SECURITY FIX
Bug#17667: An attacker has the opportunity to bypass query logging.
This adds a new, local-only printf format specifier to our *printf functions
that allows us to print known-size buffers that must not be interpreted as
NUL-terminated "strings."
It uses this format-specifier to print to the log, thus fixing this
problem.
include/my_sys.h:
Add prototype for my_memmem() .
mysys/Makefile.am:
Add reference to new file, my_memmem.c
mysys/mf_iocache2.c:
Add a "%.1234b" and "%.*b" percent-code. It takes a width, just like "%s",
but unlike the string-indicator, it requires the width and doesn't stop printing
at NUL characters.
Also, simplify the code a bit.
TODO: This code should be unified with the strings/my_vnsprintf.c code in
the future.
sql/sql_parse.cc:
The query is not a C-string, but is a sized buffer, containing any character
at all, which may include NUL characters.
strings/my_vsnprintf.c:
Add a "%.1234b" and "%.*b" percent-code. It takes a width, just like "%s",
but unlike the string-indicator, it requires the width and doesn't stop printing
at NUL characters.
tests/Makefile.am:
We may need some of our local functions.
tests/mysql_client_test.c:
Add a "%.1234b" and "%.*b" percent-code. It takes a width, just like "%s",
but unlike the string-indicator, it requires the width and doesn't stop printing
at NUL characters.
mysql-test/t/mysql_client_test.opt:
New BitKeeper file ``mysql-test/t/mysql_client_test.opt''
Add '--log' server parameter.
mysys/my_memmem.c:
New BitKeeper file ``mysys/my_memmem.c''
Implement memmem, a black-box work-alike of the GNU memmem(), which functions
like strstr() but for arbitrary blocks of memory.
Diffstat (limited to 'strings')
| -rw-r--r-- | strings/my_vsnprintf.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/strings/my_vsnprintf.c b/strings/my_vsnprintf.c index 0e036c2bbcd..d917e9e11b2 100644 --- a/strings/my_vsnprintf.c +++ b/strings/my_vsnprintf.c @@ -27,6 +27,7 @@ %#[l]d %#[l]u %#[l]x + %#.#b Local format; note first # is ignored and second is REQUIRED %#.#s Note first # is ignored RETURN @@ -40,7 +41,7 @@ int my_vsnprintf(char *to, size_t n, const char* fmt, va_list ap) for (; *fmt ; fmt++) { - if (fmt[0] != '%') + if (*fmt != '%') { if (to == end) /* End of buffer */ break; @@ -95,6 +96,12 @@ int my_vsnprintf(char *to, size_t n, const char* fmt, va_list ap) to=strnmov(to,par,plen); continue; } + else if (*fmt == 'b') /* Buffer parameter */ + { + char *par = va_arg(ap, char *); + to=memmove(to, par, abs(width)); + continue; + } else if (*fmt == 'd' || *fmt == 'u'|| *fmt== 'x') /* Integer parameter */ { register long larg; |