Commit b3cedc24 authored by Staale Smedseng's avatar Staale Smedseng

Bug #45790 Potential DoS vector: Writing of user input to log

without proper formatting
      
The problem is that a suitably crafted database identifier
supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
and thereby a denial of service. The database name is printed
to the log without using a format string, so potential
attackers can control the behavior of my_b_vprintf() by
supplying their own format string. A CREATE or DROP privilege
would be required.
      
This patch supplies a format string to the printing of the
database name. A test case is added to mysql_client_test.


sql/sql_parse.cc:
  Added format strings.
tests/mysql_client_test.c:
  Added new test case.
parent 720906ee
...@@ -2096,7 +2096,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd, ...@@ -2096,7 +2096,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
} }
if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db))) if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db)))
break; break;
mysql_log.write(thd,command,packet); mysql_log.write(thd, command, "%s", db);
bzero(&create_info, sizeof(create_info)); bzero(&create_info, sizeof(create_info));
mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db), mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db),
&create_info, 0); &create_info, 0);
...@@ -2121,7 +2121,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd, ...@@ -2121,7 +2121,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0)); ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0));
break; break;
} }
mysql_log.write(thd,command,db); mysql_log.write(thd, command, "%s", db);
mysql_rm_db(thd, db, 0, 0); mysql_rm_db(thd, db, 0, 0);
break; break;
} }
......
...@@ -12063,6 +12063,27 @@ static void test_bug6081() ...@@ -12063,6 +12063,27 @@ static void test_bug6081()
} }
/*
Verify that bogus database names are handled properly with
COM_CREATE_DB and COM_DROP_DB, i.e., cannot cause SIGSEGV through
the use of printf specifiers in the database name.
*/
static void test_bug45790()
{
const char* bogus_db = "%s%s%s%s%s%s%s";
int rc;
myheader("test_bug45790");
rc= simple_command(mysql, COM_CREATE_DB, bogus_db,
(ulong)strlen(bogus_db), 0);
myquery(rc);
rc= simple_command(mysql, COM_DROP_DB, bogus_db,
(ulong)strlen(bogus_db), 0);
myquery(rc);
}
static void test_bug6096() static void test_bug6096()
{ {
MYSQL_STMT *stmt; MYSQL_STMT *stmt;
...@@ -16829,6 +16850,7 @@ static struct my_tests_st my_tests[]= { ...@@ -16829,6 +16850,7 @@ static struct my_tests_st my_tests[]= {
{ "test_bug6059", test_bug6059 }, { "test_bug6059", test_bug6059 },
{ "test_bug6046", test_bug6046 }, { "test_bug6046", test_bug6046 },
{ "test_bug6081", test_bug6081 }, { "test_bug6081", test_bug6081 },
{ "test_bug45790",test_bug45790 },
{ "test_bug6096", test_bug6096 }, { "test_bug6096", test_bug6096 },
{ "test_datetime_ranges", test_datetime_ranges }, { "test_datetime_ranges", test_datetime_ranges },
{ "test_bug4172", test_bug4172 }, { "test_bug4172", test_bug4172 },
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment