From 3cd431d553d722ec56db2635d88b8bb17087952a Mon Sep 17 00:00:00 2001 From: Staale Smedseng Date: Wed, 1 Jul 2009 14:09:44 +0200 Subject: Bug #45790 Potential DoS vector: Writing of user input to log without proper formatting The problem is that a suitably crafted database identifier supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV, and thereby a denial of service. The database name is printed to the log without using a format string, so potential attackers can control the behavior of my_b_vprintf() by supplying their own format string. A CREATE or DROP privilege would be required. This patch supplies a format string to the printing of the database name. A test case is added to mysql_client_test. sql/sql_parse.cc: Added format strings. tests/mysql_client_test.c: Added new test case. --- sql/sql_parse.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sql') diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 0b7d0e6ee10..bcde4a971d0 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -2096,7 +2096,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd, } if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db))) break; - mysql_log.write(thd,command,packet); + mysql_log.write(thd, command, "%s", db); bzero(&create_info, sizeof(create_info)); mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db), &create_info, 0); @@ -2121,7 +2121,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd, ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0)); break; } - mysql_log.write(thd,command,db); + mysql_log.write(thd, command, "%s", db); mysql_rm_db(thd, db, 0, 0); break; } -- cgit v1.2.1