SECURITY FIX
Bug#17667: An attacker has the opportunity to bypass query logging.
This adds a new, local-only printf format specifier to our *printf functions
that allows us to print known-size buffers that must not be interpreted as
NUL-terminated "strings."
It uses this format-specifier to print to the log, thus fixing this
problem.
include/my_sys.h:
Add prototype for my_memmem() .
mysys/Makefile.am:
Add reference to new file, my_memmem.c
mysys/mf_iocache2.c:
Add a "%.1234b" and "%.*b" percent-code. It takes a width, just like "%s",
but unlike the string-indicator, it requires the width and doesn't stop printing
at NUL characters.
Also, simplify the code a bit.
TODO: This code should be unified with the strings/my_vnsprintf.c code in
the future.
sql/sql_parse.cc:
The query is not a C-string, but is a sized buffer, containing any character
at all, which may include NUL characters.
strings/my_vsnprintf.c:
Add a "%.1234b" and "%.*b" percent-code. It takes a width, just like "%s",
but unlike the string-indicator, it requires the width and doesn't stop printing
at NUL characters.
tests/Makefile.am:
We may need some of our local functions.
tests/mysql_client_test.c:
Add a "%.1234b" and "%.*b" percent-code. It takes a width, just like "%s",
but unlike the string-indicator, it requires the width and doesn't stop printing
at NUL characters.
mysql-test/t/mysql_client_test.opt:
New BitKeeper file ``mysql-test/t/mysql_client_test.opt''
Add '--log' server parameter.
mysys/my_memmem.c:
New BitKeeper file ``mysys/my_memmem.c''
Implement memmem, a black-box work-alike of the GNU memmem(), which functions
like strstr() but for arbitrary blocks of memory.
2006-05-02 04:10:50 +02:00
|
|
|
#include "my_base.h"
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
my_memmem, port of a GNU extension.
|
|
|
|
|
|
|
|
|
|
Returns a pointer to the beginning of the substring, needle, or NULL if the
|
|
|
|
|
substring is not found in haystack.
|
|
|
|
|
*/
|
|
|
|
|
void *my_memmem(const void *haystack, size_t haystacklen,
|
|
|
|
|
const void *needle, size_t needlelen)
|
|
|
|
|
{
|
2006-05-02 09:19:54 +02:00
|
|
|
const unsigned char *cursor;
|
|
|
|
|
const unsigned char *last_possible_needle_location =
|
|
|
|
|
(unsigned char *)haystack + haystacklen - needlelen;
|
SECURITY FIX
Bug#17667: An attacker has the opportunity to bypass query logging.
This adds a new, local-only printf format specifier to our *printf functions
that allows us to print known-size buffers that must not be interpreted as
NUL-terminated "strings."
It uses this format-specifier to print to the log, thus fixing this
problem.
include/my_sys.h:
Add prototype for my_memmem() .
mysys/Makefile.am:
Add reference to new file, my_memmem.c
mysys/mf_iocache2.c:
Add a "%.1234b" and "%.*b" percent-code. It takes a width, just like "%s",
but unlike the string-indicator, it requires the width and doesn't stop printing
at NUL characters.
Also, simplify the code a bit.
TODO: This code should be unified with the strings/my_vnsprintf.c code in
the future.
sql/sql_parse.cc:
The query is not a C-string, but is a sized buffer, containing any character
at all, which may include NUL characters.
strings/my_vsnprintf.c:
Add a "%.1234b" and "%.*b" percent-code. It takes a width, just like "%s",
but unlike the string-indicator, it requires the width and doesn't stop printing
at NUL characters.
tests/Makefile.am:
We may need some of our local functions.
tests/mysql_client_test.c:
Add a "%.1234b" and "%.*b" percent-code. It takes a width, just like "%s",
but unlike the string-indicator, it requires the width and doesn't stop printing
at NUL characters.
mysql-test/t/mysql_client_test.opt:
New BitKeeper file ``mysql-test/t/mysql_client_test.opt''
Add '--log' server parameter.
mysys/my_memmem.c:
New BitKeeper file ``mysys/my_memmem.c''
Implement memmem, a black-box work-alike of the GNU memmem(), which functions
like strstr() but for arbitrary blocks of memory.
2006-05-02 04:10:50 +02:00
|
|
|
|
|
|
|
|
/* Easy answers */
|
|
|
|
|
if (needlelen > haystacklen) return(NULL);
|
|
|
|
|
if (needle == NULL) return(NULL);
|
|
|
|
|
if (haystack == NULL) return(NULL);
|
|
|
|
|
if (needlelen == 0) return(NULL);
|
|
|
|
|
if (haystacklen == 0) return(NULL);
|
|
|
|
|
|
|
|
|
|
for (cursor = haystack; cursor <= last_possible_needle_location; cursor++) {
|
|
|
|
|
if (memcmp(needle, cursor, needlelen) == 0) {
|
|
|
|
|
return((void *) cursor);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return(NULL);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#ifdef MAIN
|
|
|
|
|
#include <assert.h>
|
|
|
|
|
|
|
|
|
|
int main(int argc, char *argv[]) {
|
|
|
|
|
char haystack[10], needle[3];
|
|
|
|
|
|
|
|
|
|
memmove(haystack, "0123456789", 10);
|
|
|
|
|
|
|
|
|
|
memmove(needle, "no", 2);
|
|
|
|
|
assert(my_memmem(haystack, 10, needle, 2) == NULL);
|
|
|
|
|
|
|
|
|
|
memmove(needle, "345", 3);
|
|
|
|
|
assert(my_memmem(haystack, 10, needle, 3) != NULL);
|
|
|
|
|
|
|
|
|
|
memmove(needle, "789", 3);
|
|
|
|
|
assert(my_memmem(haystack, 10, needle, 3) != NULL);
|
|
|
|
|
assert(my_memmem(haystack, 9, needle, 3) == NULL);
|
|
|
|
|
|
|
|
|
|
memmove(needle, "012", 3);
|
|
|
|
|
assert(my_memmem(haystack, 10, needle, 3) != NULL);
|
|
|
|
|
assert(my_memmem(NULL, 10, needle, 3) == NULL);
|
|
|
|
|
|
|
|
|
|
assert(my_memmem(NULL, 10, needle, 3) == NULL);
|
|
|
|
|
assert(my_memmem(haystack, 0, needle, 3) == NULL);
|
|
|
|
|
assert(my_memmem(haystack, 10, NULL, 3) == NULL);
|
|
|
|
|
assert(my_memmem(haystack, 10, needle, 0) == NULL);
|
|
|
|
|
|
|
|
|
|
assert(my_memmem(haystack, 1, needle, 3) == NULL);
|
|
|
|
|
|
|
|
|
|
printf("success\n");
|
|
|
|
|
return(0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#endif
|