diff options
| author | Sujatha Sivakumar <sujatha.sivakumar@oracle.com> | 2014-10-08 10:50:02 +0530 |
|---|---|---|
| committer | Sujatha Sivakumar <sujatha.sivakumar@oracle.com> | 2014-10-08 10:50:02 +0530 |
| commit | 0d0c59ff8092e0added553e48d271628574a32c4 (patch) | |
| tree | 0bbf2b0d55a5ee1b7647bfdd713511cfa54bd6a6 /tests | |
| parent | 0fc7b50cdbe293d78f19a10e4073b2f3776bc5da (diff) | |
| download | mariadb-git-0d0c59ff8092e0added553e48d271628574a32c4.tar.gz | |
Bug#19145698: READ OUT OF BOUNDS ISSUE
Problem:
========
In a master slave replication if a slave receives a
Start_log_event_v3 the payload is expected to be of fixed
size. If a payload which is smaller than the fixed size is
received it causes a read out of bounds issue.
Analysis:
========
According to documentation the fixed data part of
Start_log_event_v3 looks as shown below.
2 bytes: The binary log format version
50 bytes: The MySQL server's version
4 bytes: Timestamp in seconds when this event was created
Since the payload is expected to be of fixed size, therefore
ST_SERVER_VER_LEN (50) bytes are memcpy'ed into
server_version. But if a malicious master sends a shorter
payload it causes a read out of bounds issue.
Fix:
===
In Start_log_event_v3 event's constructor a check has been
added which expects the minimum payload length to be of size
common_header_len + ST_COMMON_HEADER_LEN_OFFSET bytes. If a
malicious packet of lesser length is received it will be
considered as an invalid event.
Diffstat (limited to 'tests')
0 files changed, 0 insertions, 0 deletions