Bug #45790 Potential DoS vector: Writing of user input to log

without proper formatting
      
The problem is that a suitably crafted database identifier
supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
and thereby a denial of service. The database name is printed
to the log without using a format string, so potential
attackers can control the behavior of my_b_vprintf() by
supplying their own format string. A CREATE or DROP privilege
would be required.
      
This patch supplies a format string to the printing of the
database name. A test case is added to mysql_client_test.


sql/sql_parse.cc:
  Added format strings.
tests/mysql_client_test.c:
  Added new test case.

1 files changed, 22 insertions, 0 deletions

diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c
index 9dfacb7436d..ce1a1a99b04 100644
--- a/tests/mysql_client_test.c
+++ b/tests/mysql_client_test.c
@@ -12063,6 +12063,27 @@ static void test_bug6081()
 }
 
 
+/*
+  Verify that bogus database names are handled properly with
+  COM_CREATE_DB and COM_DROP_DB, i.e., cannot cause SIGSEGV through
+  the use of printf specifiers in the database name.
+*/
+static void test_bug45790()
+{
+  const char* bogus_db = "%s%s%s%s%s%s%s";
+  int rc;
+
+  myheader("test_bug45790");
+  rc= simple_command(mysql, COM_CREATE_DB, bogus_db,
+                     (ulong)strlen(bogus_db), 0);
+  myquery(rc);
+
+  rc= simple_command(mysql, COM_DROP_DB, bogus_db,
+                     (ulong)strlen(bogus_db), 0);
+  myquery(rc);
+}
+
+
 static void test_bug6096()
 {
   MYSQL_STMT *stmt;
@@ -16829,6 +16850,7 @@ static struct my_tests_st my_tests[]= {
   { "test_bug6059", test_bug6059 },
   { "test_bug6046", test_bug6046 },
   { "test_bug6081", test_bug6081 },
+  { "test_bug45790",test_bug45790 },
   { "test_bug6096", test_bug6096 },
   { "test_datetime_ranges", test_datetime_ranges },
   { "test_bug4172", test_bug4172 },