From a63185e8638365d401732803ba93b6b149d33c65 Mon Sep 17 00:00:00 2001 From: Karthik Kamath Date: Thu, 10 Nov 2016 15:11:57 +0530 Subject: BUG#24437124: POSSIBLE BUFFER OVERFLOW ON CREATE TABLE ANALYSIS: ========= 'CREATE TABLE' query with a large value for 'CONNECTION' string reports an incorrect error. The length of connection string is stored in .frm in two bytes (max value= 65535). When the string length exceeds the max value, the length is truncated to fit the two bytes limit. Further processing leads to reading only a part of the string as the length stored is incorrect. The remaining part of the string is treated as engine type and hence results in an error. FIX: ==== We are now restricting the connection string length to 1024. An appropriate error is reported if the length crosses this limit. NOTE: ===== The 'PASSWORD' table option is documented as unused and processed within a dead code. Hence it will not cause similar issue with large strings. --- sql/sql_table.cc | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'sql/sql_table.cc') diff --git a/sql/sql_table.cc b/sql/sql_table.cc index 49f05c6116e..58bcf5ca1d4 100644 --- a/sql/sql_table.cc +++ b/sql/sql_table.cc @@ -2851,6 +2851,21 @@ mysql_prepare_create_table(THD *thd, HA_CREATE_INFO *create_info, uint total_uneven_bit_length= 0; DBUG_ENTER("mysql_prepare_create_table"); + LEX_STRING* connect_string = &create_info->connect_string; + if (connect_string->length != 0 && + connect_string->length > CONNECT_STRING_MAXLEN && + (system_charset_info->cset->charpos(system_charset_info, + connect_string->str, + (connect_string->str + + connect_string->length), + CONNECT_STRING_MAXLEN) + < connect_string->length)) + { + my_error(ER_WRONG_STRING_LENGTH, MYF(0), + connect_string->str, "CONNECTION", CONNECT_STRING_MAXLEN); + DBUG_RETURN(TRUE); + } + select_field_pos= alter_info->create_list.elements - select_field_count; null_fields=blob_columns=0; create_info->varchar= 0; -- cgit v1.2.1