Commit de0e8a02 authored by Venkata Sidagam's avatar Venkata Sidagam

Bug#16900358 FIX FOR CVE-2012-5611 IS INCOMPLETE

Description: Fix for bug CVE-2012-5611 (bug 67685) is 
incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and 
check_grant_db() can be overflown by up to two bytes. That's 
probably not enough to do anything more serious than crashing 
mysqld.
Analysis: In acl_get() when "copy_length" is calculated it 
just adding the variable lengths. But when we are using them 
with strmov() we are adding +1 to each. This will lead to a 
three byte buffer overflow (i.e two +1's at strmov() and one 
byte for the null added by strmov() function). Similarly it 
happens for check_grant_db() function as well.
Fix: We need to add "+2" to "copy_length" in acl_get() 
and "+1" to "copy_length" in check_grant_db(). 
parent 3399194c
......@@ -1363,7 +1363,8 @@ ulong acl_get(const char *host, const char *ip,
copy_length= (size_t) (strlen(ip ? ip : "") +
strlen(user ? user : "") +
strlen(db ? db : ""));
strlen(db ? db : "")) + 2; /* Added 2 at the end to avoid
buffer overflow at strmov()*/
/*
Make sure that strmov() operations do not result in buffer overflow.
*/
......@@ -4353,7 +4354,8 @@ bool check_grant_db(THD *thd,const char *db)
size_t copy_length;
copy_length= (size_t) (strlen(sctx->priv_user ? sctx->priv_user : "") +
strlen(db ? db : ""));
strlen(db ? db : "")) + 1; /* Added 1 at the end to avoid
buffer overflow at strmov()*/
/*
Make sure that strmov() operations do not result in buffer overflow.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment