Commit 33042e6d authored by MySQL Build Team's avatar MySQL Build Team

Backport into build-201006221614-5.1.46sp1

> ------------------------------------------------------------
> revno: 1810.3987.13
> revision-id: ramil@mysql.com-20100429044232-f0pkyx8fnpszf142
> parent: alexey.kopytov@sun.com-20100426200600-op06qy98llzpzgl1
> committer: Ramil Kalimullin <ramil@mysql.com>
> branch nick: b53237-5.0-bugteam
> timestamp: Thu 2010-04-29 08:42:32 +0400
> message:
>   Fix for bug #53237: mysql_list_fields/COM_FIELD_LIST stack smashing
>   
>   Problem: "COM_FIELD_LIST is an old command of the MySQL server, before there was real move to only
>   SQL. Seems that the data sent to COM_FIELD_LIST( mysql_list_fields() function) is not
>   checked for sanity. By sending long data for the table a buffer is overflown, which can
>   be used deliberately to include code that harms".
>   
>   Fix: check incoming data length.

The patch did not apply cleanly:
- Line numbers are completely off, roughly it is 2030 -> 1313
- What is called "pend" in the patch, is "arg_end" in the source.
parent 25d938b6
......@@ -1300,8 +1300,16 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
We have name + wildcard in packet, separated by endzero
*/
arg_end= strend(packet);
uint arg_length= arg_end - packet;
/* Check given table name length. */
if (arg_length >= packet_length || arg_length > NAME_LEN)
{
my_message(ER_UNKNOWN_COM_ERROR, ER(ER_UNKNOWN_COM_ERROR), MYF(0));
break;
}
thd->convert_string(&conv_name, system_charset_info,
packet, (uint) (arg_end - packet), thd->charset());
packet, arg_length, thd->charset());
table_list.alias= table_list.table_name= conv_name.str;
packet= arg_end + 1;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment