From a905ac34b59731bb69a036306297c50742753329 Mon Sep 17 00:00:00 2001 From: unknown Date: Mon, 26 Nov 2007 08:20:40 +0100 Subject: Bug#31752: check strmake() bounds strmake() calls are easy to get wrong. Add checks in extra debug mode to identify possible exploits. Remove some dead code. Remove some off-by-one errors identified with new checks. sql/log.cc: fix off-by-one buffer-length argument to prevent stack smashing sql/repl_failsafe.cc: fix off-by-one buffer-length argument to prevent stack smashing sql/set_var.cc: fix off-by-one buffer-length argument to prevent stack smashing (already approved, backports #31588) sql/sql_show.cc: misdimensioned buffers: functions further down the callstack expect bufsize of FN_REFLEN sql/unireg.cc: When EXTRA_DEBUG is enabled, strmake() will write funny patterns to buffers it operates on to identify possibly overflows. This leads to badness in mysql_create_frm(), so we explicitly put any unused bytes (back) into a defined state. Not a bug-fix, but part of the strmake() bug detector. strings/strmake.c: strmake() takes maximum string length rather than buffer-length (string length + 1 to accomodate \0 terminator) as argument. Since this is easy to get wrong, add extra debug code to identify off-by-ones so we can prevent stack smashing. Alternative "BAD_STRING_COMPILER" removed after checking with Monty. --- sql/unireg.cc | 3 +++ 1 file changed, 3 insertions(+) (limited to 'sql/unireg.cc') diff --git a/sql/unireg.cc b/sql/unireg.cc index e5ee0222f20..795198fc55f 100644 --- a/sql/unireg.cc +++ b/sql/unireg.cc @@ -140,6 +140,9 @@ bool mysql_create_frm(THD *thd, my_string file_name, strmake((char*) forminfo+47,create_info->comment ? create_info->comment : "", 60); forminfo[46]=(uchar) strlen((char*)forminfo+47); // Length of comment +#ifdef EXTRA_DEBUG + memset((char*) forminfo+47 + forminfo[46], 0, 61 - forminfo[46]); +#endif if (my_pwrite(file,(byte*) fileinfo,64,0L,MYF_RW) || my_pwrite(file,(byte*) keybuff,key_info_length, -- cgit v1.2.1 From 0805384869656fc9efaa28de331e825aa8b885d7 Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 6 Dec 2007 11:48:27 +0100 Subject: Bug#31752: check strmake() bounds post-fixes: prevent semi-related overflow, additional comments mysys/mf_pack.c: extra comments sql/log.cc: prevent overflow (length parameter of strmake() should never become < 0) sql/sql_show.cc: additional comments sql/unireg.cc: additional comments --- sql/unireg.cc | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'sql/unireg.cc') diff --git a/sql/unireg.cc b/sql/unireg.cc index 795198fc55f..dcb49bc1766 100644 --- a/sql/unireg.cc +++ b/sql/unireg.cc @@ -141,6 +141,11 @@ bool mysql_create_frm(THD *thd, my_string file_name, 60); forminfo[46]=(uchar) strlen((char*)forminfo+47); // Length of comment #ifdef EXTRA_DEBUG + /* + EXTRA_DEBUG causes strmake() to initialize its buffer behind the + payload with a magic value to detect wrong buffer-sizes. We + explicitly zero that segment again. + */ memset((char*) forminfo+47 + forminfo[46], 0, 61 - forminfo[46]); #endif -- cgit v1.2.1 From 0fbc29c197d931fdcf99c071e3ac1e31bf8761ee Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 20 Dec 2007 21:16:55 +0300 Subject: A pre-requisite for the fix for Bug#12713 "Error in a stored function called from a SELECT doesn't cause ROLLBACK of state" Make private all class handler methods (PSEA API) that may modify data. Introduce and deploy public ha_* wrappers for these methods in all sql/. This necessary to keep track of all data modifications in sql/, which is in turn necessary to be able to optimize two-phase commit of those transactions that do not modify data. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit sql/ha_partition.cc: Class ha_partition is no longer a friend of class handler. Use the public handler interface (handler::ha_ methods) for partition operations. Remove unnecessary casts from char[] to const char *.ppзи выафвыаafa sql/handler.cc: Function ha_create_table() is no longer a friend of class handler. Use public handler::change_table_ptr() to access private members. This fixes a subtle bug (no test case in the test suite) when a deletion error occurs inside one partition of a partitioned engine. The old code would crash in handler::print_error() in this case. Implement the newly introduced public ha_* wrappers of the private virtual handler methods. sql/handler.h: Introduce ha_* wrappers to all class handler methods that may modify data. This is necessary to be able to keep track of data modifying operations of class handler and optimize read-only transactions. sql/item_sum.cc: delete_all_rows -> ha_delete_all_rows sql/sql_base.cc: Use the new public wrappers. sql/sql_delete.cc: delete_all_rows -> ha_delete_all_rows sql/sql_partition.cc: Use the new public wrappers. sql/sql_select.cc: delete_all_rows -> ha_delete_all_rows delete_table -> ha_delete_table disabe_indexes -> ha_disable_idnexes sql/sql_show.cc: delete_all_rows -> ha_delete_all_rows sql/sql_table.cc: Use the public wrappers for class handler DDL methods. All methods which may change handler data are now accessed via a public wrapper. sql/sql_union.cc: delete_all_rows -> ha_delete_all_rows {enable,disable}_indexes -> ha_{enable,disable}_indexes sql/sql_update.cc: bulk_update_row -> ha_bulk_update_row sql/unireg.cc: create_handler_files -> ha_create_handler_files --- sql/unireg.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sql/unireg.cc') diff --git a/sql/unireg.cc b/sql/unireg.cc index dbdefd8d5b1..cbeedc6fb8f 100644 --- a/sql/unireg.cc +++ b/sql/unireg.cc @@ -393,7 +393,7 @@ int rea_create_table(THD *thd, const char *path, DBUG_ASSERT(*fn_rext(frm_name)); if (thd->variables.keep_files_on_create) create_info->options|= HA_CREATE_KEEP_FILES; - if (file->create_handler_files(path, NULL, CHF_CREATE_FLAG, create_info)) + if (file->ha_create_handler_files(path, NULL, CHF_CREATE_FLAG, create_info)) goto err_handler; if (!create_info->frm_only && ha_create_table(thd, path, db, table_name, create_info,0)) @@ -401,7 +401,7 @@ int rea_create_table(THD *thd, const char *path, DBUG_RETURN(0); err_handler: - VOID(file->create_handler_files(path, NULL, CHF_DELETE_FLAG, create_info)); + VOID(file->ha_create_handler_files(path, NULL, CHF_DELETE_FLAG, create_info)); my_delete(frm_name, MYF(0)); DBUG_RETURN(1); } /* rea_create_table */ -- cgit v1.2.1