mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-18 04:53:01 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix for bug #53237: mysql_list_fields/COM_FIELD_LIST stack smashing

Browse source 
Problem: "COM_FIELD_LIST is an old command of the MySQL server, before there was real move to only
SQL. Seems that the data sent to COM_FIELD_LIST( mysql_list_fields() function) is not
checked for sanity. By sending long data for the table a buffer is overflown, which can
be used deliberately to include code that harms".

Fix: check incoming data length.
This commit is contained in:
Ramil Kalimullin 2010-04-29 08:42:32 +04:00
parent 1a1fd04d84
commit 933e5ca5f0
1 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
sql/sql_parse.cc
View file

@ -2025,8 +2025,16 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
if (thd->copy_db_to(&table_list.db, &table_list.db_length))
break;
pend= strend(packet);
uint arg_length= pend - packet;
/* Check given table name length. */
if (arg_length >= packet_length || arg_length > NAME_LEN)
{
my_message(ER_UNKNOWN_COM_ERROR, ER(ER_UNKNOWN_COM_ERROR), MYF(0));
break;
}
thd->convert_string(&conv_name, system_charset_info,
packet, (uint) (pend-packet), thd->charset());
packet, arg_length, thd->charset());
table_list.alias= table_list.table_name= conv_name.str;
packet= pend+1;