• Sujatha Sivakumar's avatar
    Bug#19145698: READ OUT OF BOUNDS ISSUE · 0d0c59ff
    Sujatha Sivakumar authored
    Problem:
    ========
    In a master slave replication if a slave receives a
    Start_log_event_v3 the payload is expected to be of fixed
    size. If a payload which is smaller than the fixed size is
    received it causes a read out of bounds issue.
    
    Analysis:
    ========
    According to documentation the fixed data part of
    Start_log_event_v3 looks as shown below.
    
    2 bytes: The binary log format version
    50 bytes: The MySQL server's version
    4 bytes: Timestamp in seconds when this event was created
    
    Since the payload is expected to be of fixed size, therefore
    ST_SERVER_VER_LEN (50) bytes are memcpy'ed into
    server_version. But if a malicious master sends a shorter
    payload it causes a read out of bounds issue.
    
    Fix:
    ===
    In Start_log_event_v3 event's constructor a check has been
    added which expects the minimum payload length to be of size
    common_header_len + ST_COMMON_HEADER_LEN_OFFSET bytes. If a
    malicious packet of lesser length is received it will be
    considered as an invalid event.
    0d0c59ff
log_event.cc 337 KB