mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2026-05-14 19:07:15 +02:00
Code Issues Projects Releases Packages Wiki Activity

SECURITY FIX

Browse source 
Bug#17667: An attacker has the opportunity to bypass query logging.

This adds a new, local-only printf format specifier to our *printf functions
that allows us to print known-size buffers that must not be interpreted as 
NUL-terminated "strings."

It uses this format-specifier to print to the log, thus fixing this 
problem.


include/my_sys.h:
  Add prototype for my_memmem() .
mysys/Makefile.am:
  Add reference to new file, my_memmem.c
mysys/mf_iocache2.c:
  Add a "%.1234b" and "%.*b" percent-code.  It takes a width, just like "%s", 
  but unlike the string-indicator, it requires the width and doesn't stop printing
  at NUL characters.
  
  Also, simplify the code a bit.
  
  TODO:  This code should be unified with the strings/my_vnsprintf.c code in 
  the future.
sql/sql_parse.cc:
  The query is not a C-string, but is a sized buffer, containing any character 
  at all, which may include NUL characters.
strings/my_vsnprintf.c:
  Add a "%.1234b" and "%.*b" percent-code.  It takes a width, just like "%s", 
  but unlike the string-indicator, it requires the width and doesn't stop printing
  at NUL characters.
tests/Makefile.am:
  We may need some of our local functions.
tests/mysql_client_test.c:
  Add a "%.1234b" and "%.*b" percent-code.  It takes a width, just like "%s", 
  but unlike the string-indicator, it requires the width and doesn't stop printing
  at NUL characters.
mysql-test/t/mysql_client_test.opt:
  New BitKeeper file ``mysql-test/t/mysql_client_test.opt''
  
  Add '--log' server parameter.
mysys/my_memmem.c:
  New BitKeeper file ``mysys/my_memmem.c''
  
  Implement memmem, a black-box work-alike of the GNU memmem(), which functions
  like strstr() but for arbitrary blocks of memory.
This commit is contained in:
unknown 2006-05-01 22:10:50 -04:00
commit 3010890e58
9 changed files with 220 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

9
strings/my_vsnprintf.c
View file

@ -27,6 +27,7 @@
%#[l]d
%#[l]u
%#[l]x
%#.#b Local format; note first # is ignored and second is REQUIRED
%#.#s Note first # is ignored
RETURN
@ -40,7 +41,7 @@ int my_vsnprintf(char *to, size_t n, const char* fmt, va_list ap)
for (; *fmt ; fmt++)
{
if (fmt[0] != '%')
if (*fmt != '%')
{
if (to == end) /* End of buffer */
break;
@ -95,6 +96,12 @@ int my_vsnprintf(char *to, size_t n, const char* fmt, va_list ap)
to=strnmov(to,par,plen);
continue;
}
else if (*fmt == 'b') /* Buffer parameter */
{
char *par = va_arg(ap, char *);
to=memmove(to, par, abs(width));
continue;
}
else if (*fmt == 'd' || *fmt == 'u'|| *fmt== 'x') /* Integer parameter */
{
register long larg;