Skip to content

Commit 1a95ed1

Browse files
author
[email protected]/white.intern.koehntopp.de
committed
Bug#31752: check strmake() bounds
strmake() calls are easy to get wrong. Add checks in extra debug mode to identify possible exploits. Remove some dead code. Remove some off-by-one errors identified with new checks.
1 parent 39f6cbc commit 1a95ed1

6 files changed

Lines changed: 24 additions & 19 deletions

File tree

sql/log.cc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -966,7 +966,7 @@ void MYSQL_LOG::make_log_name(char* buf, const char* log_ident)
966966
if (dir_len > FN_REFLEN)
967967
dir_len=FN_REFLEN-1;
968968
strnmov(buf, log_file_name, dir_len);
969-
strmake(buf+dir_len, log_ident, FN_REFLEN - dir_len);
969+
strmake(buf+dir_len, log_ident, FN_REFLEN - dir_len -1);
970970
}
971971

972972

sql/repl_failsafe.cc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -926,7 +926,7 @@ int load_master_data(THD* thd)
926926
0, (SLAVE_IO | SLAVE_SQL)))
927927
send_error(thd, ER_MASTER_INFO);
928928
strmake(active_mi->master_log_name, row[0],
929-
sizeof(active_mi->master_log_name));
929+
sizeof(active_mi->master_log_name) -1);
930930
active_mi->master_log_pos= my_strtoll10(row[1], (char**) 0, &error);
931931
/* at least in recent versions, the condition below should be false */
932932
if (active_mi->master_log_pos < BIN_LOG_HEADER_SIZE)

sql/set_var.cc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1573,7 +1573,7 @@ bool sys_var::check_set(THD *thd, set_var *var, TYPELIB *enum_names)
15731573
&not_used));
15741574
if (error_len)
15751575
{
1576-
strmake(buff, error, min(sizeof(buff), error_len));
1576+
strmake(buff, error, min(sizeof(buff) - 1, error_len));
15771577
goto err;
15781578
}
15791579
}

sql/sql_show.cc

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -136,7 +136,7 @@ int mysqld_show_tables(THD *thd,const char *db,const char *wild)
136136
{
137137
Item_string *field=new Item_string("",0,thd->charset());
138138
List<Item> field_list;
139-
char path[FN_LEN],*end;
139+
char path[FN_REFLEN],*end;
140140
List<char> files;
141141
char *file_name;
142142
Protocol *protocol= thd->protocol;
@@ -457,7 +457,7 @@ int mysqld_extend_show_tables(THD *thd,const char *db,const char *wild)
457457
Item *item;
458458
List<char> files;
459459
List<Item> field_list;
460-
char path[FN_LEN];
460+
char path[FN_REFLEN];
461461
char *file_name;
462462
TABLE *table;
463463
Protocol *protocol= thd->protocol;

sql/unireg.cc

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -140,6 +140,9 @@ bool mysql_create_frm(THD *thd, my_string file_name,
140140
strmake((char*) forminfo+47,create_info->comment ? create_info->comment : "",
141141
60);
142142
forminfo[46]=(uchar) strlen((char*)forminfo+47); // Length of comment
143+
#ifdef EXTRA_DEBUG
144+
memset((char*) forminfo+47 + forminfo[46], 0, 61 - forminfo[46]);
145+
#endif
143146

144147
if (my_pwrite(file,(byte*) fileinfo,64,0L,MYF_RW) ||
145148
my_pwrite(file,(byte*) keybuff,key_info_length,

strings/strmake.c

Lines changed: 16 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -28,23 +28,25 @@
2828
#include <my_global.h>
2929
#include "m_string.h"
3030

31-
#ifdef BAD_STRING_COMPILER
32-
33-
char *strmake(char *dst,const char *src,uint length)
31+
char *strmake(register char *dst, register const char *src, uint length)
3432
{
35-
reg1 char *res;
36-
37-
if ((res=memccpy(dst,src,0,length)))
38-
return res-1;
39-
dst[length]=0;
40-
return dst+length;
41-
}
42-
43-
#define strmake strmake_overlapp /* Use orginal for overlapping str */
33+
#ifdef EXTRA_DEBUG
34+
/*
35+
'length' is the maximum length of the string; the buffer needs
36+
to be one character larger to accomodate the terminating '\0'.
37+
This is easy to get wrong, so we make sure we write to the
38+
entire length of the buffer to identify incorrect buffer-sizes.
39+
We only initialise the "unused" part of the buffer here, a) for
40+
efficiency, and b) because dst==src is allowed, so initialising
41+
the entire buffer would overwrite the source-string. Also, we
42+
write a character rather than '\0' as this makes spotting these
43+
problems in the results easier.
44+
*/
45+
uint n= strlen(src) + 1;
46+
if (n <= length)
47+
memset(dst + n, (int) 'Z', length - n + 1);
4448
#endif
4549

46-
char *strmake(register char *dst, register const char *src, uint length)
47-
{
4850
while (length--)
4951
if (! (*dst++ = *src++))
5052
return dst-1;

0 commit comments

Comments
 (0)