Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
mariadb
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
mariadb
Commits
53a04866
Commit
53a04866
authored
Oct 31, 2007
by
davi@endora.local
Browse files
Options
Browse Files
Download
Plain Diff
Merge endora.local:/Users/davi/mysql/mysql-5.0-runtime
into endora.local:/Users/davi/mysql/bugs/31669-5.1
parents
230604f3
26f03b0b
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
98 additions
and
3 deletions
+98
-3
libmysql/libmysql.c
libmysql/libmysql.c
+4
-3
tests/mysql_client_test.c
tests/mysql_client_test.c
+94
-0
No files found.
libmysql/libmysql.c
View file @
53a04866
...
...
@@ -701,7 +701,8 @@ int cli_read_change_user_result(MYSQL *mysql, char *buff, const char *passwd)
my_bool
STDCALL
mysql_change_user
(
MYSQL
*
mysql
,
const
char
*
user
,
const
char
*
passwd
,
const
char
*
db
)
{
char
buff
[
512
],
*
end
=
buff
;
char
buff
[
USERNAME_LENGTH
+
SCRAMBLED_PASSWORD_CHAR_LENGTH
+
NAME_LEN
+
2
];
char
*
end
=
buff
;
int
rc
;
CHARSET_INFO
*
saved_cs
=
mysql
->
charset
;
...
...
@@ -723,7 +724,7 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
passwd
=
""
;
/* Store user into the buffer */
end
=
strmov
(
end
,
user
)
+
1
;
end
=
strmake
(
end
,
user
,
USERNAME_LENGTH
)
+
1
;
/* write scrambled password according to server capabilities */
if
(
passwd
[
0
])
...
...
@@ -743,7 +744,7 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
else
*
end
++=
'\0'
;
/* empty password */
/* Add database if needed */
end
=
strm
ov
(
end
,
db
?
db
:
""
)
+
1
;
end
=
strm
ake
(
end
,
db
?
db
:
""
,
NAME_LEN
)
+
1
;
/* Add character set number. */
...
...
tests/mysql_client_test.c
View file @
53a04866
...
...
@@ -17100,6 +17100,99 @@ static void test_bug31418()
}
/**
Bug#31669 Buffer overflow in mysql_change_user()
*/
#define LARGE_BUFFER_SIZE 2048
static
void
test_bug31669
()
{
int
rc
;
static
char
buff
[
LARGE_BUFFER_SIZE
+
1
];
#ifndef EMBEDDED_LIBRARY
static
char
user
[
USERNAME_LENGTH
+
1
];
static
char
db
[
NAME_LEN
+
1
];
static
char
query
[
LARGE_BUFFER_SIZE
*
2
];
#endif
DBUG_ENTER
(
"test_bug31669"
);
myheader
(
"test_bug31669"
);
rc
=
mysql_change_user
(
mysql
,
NULL
,
NULL
,
NULL
);
DIE_UNLESS
(
rc
);
rc
=
mysql_change_user
(
mysql
,
""
,
""
,
""
);
DIE_UNLESS
(
rc
);
memset
(
buff
,
'a'
,
sizeof
(
buff
));
rc
=
mysql_change_user
(
mysql
,
buff
,
buff
,
buff
);
DIE_UNLESS
(
rc
);
rc
=
mysql_change_user
(
mysql
,
opt_user
,
opt_password
,
current_db
);
DIE_UNLESS
(
!
rc
);
#ifndef EMBEDDED_LIBRARY
memset
(
db
,
'a'
,
sizeof
(
db
));
db
[
NAME_LEN
]
=
0
;
strxmov
(
query
,
"CREATE DATABASE IF NOT EXISTS "
,
db
,
NullS
);
rc
=
mysql_query
(
mysql
,
query
);
myquery
(
rc
);
memset
(
user
,
'b'
,
sizeof
(
user
));
user
[
USERNAME_LENGTH
]
=
0
;
memset
(
buff
,
'c'
,
sizeof
(
buff
));
buff
[
LARGE_BUFFER_SIZE
]
=
0
;
strxmov
(
query
,
"GRANT ALL PRIVILEGES ON *.* TO '"
,
user
,
"'@'%' IDENTIFIED BY "
"'"
,
buff
,
"' WITH GRANT OPTION"
,
NullS
);
rc
=
mysql_query
(
mysql
,
query
);
myquery
(
rc
);
rc
=
mysql_query
(
mysql
,
"FLUSH PRIVILEGES"
);
myquery
(
rc
);
rc
=
mysql_change_user
(
mysql
,
user
,
buff
,
db
);
DIE_UNLESS
(
!
rc
);
user
[
USERNAME_LENGTH
-
1
]
=
'a'
;
rc
=
mysql_change_user
(
mysql
,
user
,
buff
,
db
);
DIE_UNLESS
(
rc
);
user
[
USERNAME_LENGTH
-
1
]
=
'b'
;
buff
[
LARGE_BUFFER_SIZE
-
1
]
=
'd'
;
rc
=
mysql_change_user
(
mysql
,
user
,
buff
,
db
);
DIE_UNLESS
(
rc
);
buff
[
LARGE_BUFFER_SIZE
-
1
]
=
'c'
;
db
[
NAME_LEN
-
1
]
=
'e'
;
rc
=
mysql_change_user
(
mysql
,
user
,
buff
,
db
);
DIE_UNLESS
(
rc
);
db
[
NAME_LEN
-
1
]
=
'a'
;
rc
=
mysql_change_user
(
mysql
,
user
,
buff
,
db
);
DIE_UNLESS
(
!
rc
);
rc
=
mysql_change_user
(
mysql
,
user
+
1
,
buff
+
1
,
db
+
1
);
DIE_UNLESS
(
rc
);
rc
=
mysql_change_user
(
mysql
,
opt_user
,
opt_password
,
current_db
);
DIE_UNLESS
(
!
rc
);
strxmov
(
query
,
"DROP DATABASE "
,
db
,
NullS
);
rc
=
mysql_query
(
mysql
,
query
);
myquery
(
rc
);
strxmov
(
query
,
"DELETE FROM mysql.user WHERE User='"
,
user
,
"'"
,
NullS
);
rc
=
mysql_query
(
mysql
,
query
);
myquery
(
rc
);
DIE_UNLESS
(
mysql_affected_rows
(
mysql
)
==
1
);
#endif
DBUG_VOID_RETURN
;
}
/*
Read and parse arguments and MySQL options from my.cnf
*/
...
...
@@ -17403,6 +17496,7 @@ static struct my_tests_st my_tests[]= {
{
"test_bug30472"
,
test_bug30472
},
{
"test_bug20023"
,
test_bug20023
},
{
"test_bug31418"
,
test_bug31418
},
{
"test_bug31669"
,
test_bug31669
},
{
0
,
0
}
};
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment