Commit a69ab08b authored by Marcin Babij's avatar Marcin Babij

BUG#18779944: MYSQLDUMP BUFFER OVERFLOW

Mysqldump overflows stack buffer when copying table name from commandline arguments resulting in stack corruption and ability to execute arbitrary code.

Fix: Check length of all positional arguments passed to mysqldump is smaller than NAME_LEN.
Note: Mysqldump heavily depends on that database objects (databases, tablespaces, tables, etc) are limited to small size (now it is 64).
parent 8ba44294
...@@ -5538,11 +5538,27 @@ int main(int argc, char **argv) ...@@ -5538,11 +5538,27 @@ int main(int argc, char **argv)
dump_all_tablespaces(); dump_all_tablespaces();
dump_all_databases(); dump_all_databases();
} }
else if (argc > 1 && !opt_databases) else
{
// Check all arguments meet length condition. Currently database and table
// names are limited to NAME_LEN bytes and stack-based buffers assumes
// that escaped name will be not longer than NAME_LEN*2 + 2 bytes long.
int argument;
for (argument= 0; argument < argc; argument++)
{
size_t argument_length= strlen(argv[argument]);
if (argument_length > NAME_LEN)
{
die(EX_CONSCHECK, "[ERROR] Argument '%s' is too long, it cannot be "
"name for any table or database.\n", argv[argument]);
}
}
if (argc > 1 && !opt_databases)
{ {
/* Only one database and selected table(s) */ /* Only one database and selected table(s) */
if (!opt_alltspcs && !opt_notspcs) if (!opt_alltspcs && !opt_notspcs)
dump_tablespaces_for_tables(*argv, (argv + 1), (argc -1)); dump_tablespaces_for_tables(*argv, (argv + 1), (argc - 1));
dump_selected_tables(*argv, (argv + 1), (argc - 1)); dump_selected_tables(*argv, (argv + 1), (argc - 1));
} }
else else
...@@ -5552,6 +5568,7 @@ int main(int argc, char **argv) ...@@ -5552,6 +5568,7 @@ int main(int argc, char **argv)
dump_tablespaces_for_databases(argv); dump_tablespaces_for_databases(argv);
dump_databases(argv); dump_databases(argv);
} }
}
/* if --dump-slave , start the slave sql thread */ /* if --dump-slave , start the slave sql thread */
if (opt_slave_data && do_start_slave_sql(mysql)) if (opt_slave_data && do_start_slave_sql(mysql))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment