Old style C functions `strcpy()`, `strcat()` and `sprintf()` are vulnerable to
security issues due to lacking memory boundary checks. Replace these in the
Connect storage engine with safe new and/or custom functions such as
`snprintf()` `safe_strcpy()` and `safe_strcat()`.
With this change FlawFinder and other static security analyzers report 287
fewer findings.
All new code of the whole pull request, including one or several files that are
either new files or modified ones, are contributed under the BSD-new license. I
am contributing on behalf of my employer Amazon Web Services, Inc.
Continue with similar changes as done in 19af1890 to replace sprintf(buf, ...)
with snprintf(buf, sizeof(buf), ...), specifically in the "easy" cases where buf
is allocated with a size known at compile time.
All new code of the whole pull request, including one or several files that are
either new files or modified ones, are contributed under the BSD-new license. I
am contributing on behalf of my employer Amazon Web Services, Inc.
This commit replaces sprintf(buf, ...) with
snprintf(buf, sizeof(buf), ...),
specifically in the "easy" cases where buf is allocated with a size
known at compile time.
The changes make sure we are not write outside array/string bounds which
will lead to undefined behaviour. In case the code is trying to write
outside bounds - safe version of functions simply cut the string
messages so we process this gracefully.
All new code of the whole pull request, including one or several files
that are either new files or modified ones, are contributed under the BSD-new
license. I am contributing on behalf of my employer Amazon Web Services,
Inc.
bsonudf.cpp warnings cleanup by Daniel Black
Reviewer: Daniel Black
modified: storage/connect/ha_connect.cc
Add conditional SE exception support
modified: storage/connect/json.cpp
modified: storage/connect/plgdbutl.cpp
Change %p in %x in some sprintf functions.
This to avoid some compiler warnings.
modified: storage/connect/tabwmi.cpp
modified: storage/connect/tabxml.cpp
modified: storage/connect/value.h
Add JavaWrappers.jar to the class path
modified: storage/connect/jdbconn.cpp
Fix wrong declare (char *buf[256]; --> char buf[256];)
modified: storage/connect/xindex.cpp
the beginning. Defining the STRING class and begining to use it (MYSQL)
2) Change the xtrace, use_tempfile and exact_info connect variables from
GLOBAL to SESSION. Remaining GLOBAL variables have been made readonly.
3) Take care of LEX_STRING variables. The .str should not be regarded as
allways being 0 terminated. This is handled by the Strz functions that
make sure to return 0 terminated strings.
Bug fix:
- When inserting in MYSQL table with special column(s) a query such as:
insert into t2 values(0,4,'new04'),(0,5,'new05');
failed saying: column id (the special column) not found in t2.
It is now accepted but must be counted in values (these 0 are ignored)
- ROWID was returning row numbers based 0. Now it is from base 1.
modified:
storage/connect/array.cpp
storage/connect/blkfil.cpp
storage/connect/colblk.cpp
storage/connect/connect.cc
storage/connect/filamap.cpp
storage/connect/filamdbf.cpp
storage/connect/filamfix.cpp
storage/connect/filamtxt.cpp
storage/connect/filamvct.cpp
storage/connect/filamzip.cpp
storage/connect/filamzip.h
storage/connect/filter.cpp
storage/connect/global.h
storage/connect/ha_connect.cc
storage/connect/ha_connect.h
storage/connect/libdoc.cpp
storage/connect/mycat.cc
storage/connect/myconn.cpp
storage/connect/odbconn.cpp
storage/connect/plgdbutl.cpp
storage/connect/plugutil.c
storage/connect/reldef.cpp
storage/connect/tabcol.cpp
storage/connect/tabdos.cpp
storage/connect/tabfix.cpp
storage/connect/tabfmt.cpp
storage/connect/table.cpp
storage/connect/tabmul.cpp
storage/connect/tabmysql.cpp
storage/connect/tabmysql.h
storage/connect/taboccur.cpp
storage/connect/tabodbc.cpp
storage/connect/tabpivot.cpp
storage/connect/tabsys.cpp
storage/connect/tabtbl.cpp
storage/connect/tabutil.cpp
storage/connect/tabvct.cpp
storage/connect/tabwmi.cpp
storage/connect/tabwmi.h
storage/connect/tabxcl.cpp
storage/connect/tabxml.cpp
storage/connect/user_connect.cc
storage/connect/valblk.cpp
storage/connect/value.cpp
storage/connect/value.h
storage/connect/xindex.cpp
storage/connect/xobject.cpp
storage/connect/xobject.h
storage/connect/xtable.h
catalog data path had not been set. This was added into ha_connect::info.
modified:
storage/connect/ha_connect.cc
- All the functions querying table options could return information from the wrong
table when several CONNECT tables were used in the same query (for instance joined
together) This was because they belonged to the catalog class that is shared between
all tables in the same query. They have been moved from the catalog class to the
TABDEF/RELDEF class that is attached to each table. This was a major potential bug.
modified:
storage/connect/catalog.h
storage/connect/filamvct.cpp
storage/connect/filamzip.cpp
storage/connect/mycat.cc
storage/connect/mycat.h
storage/connect/reldef.cpp
storage/connect/reldef.h
storage/connect/tabdos.cpp
storage/connect/tabfmt.cpp
storage/connect/tabmul.cpp
storage/connect/tabmysql.cpp
storage/connect/taboccur.cpp
storage/connect/tabodbc.cpp
storage/connect/tabpivot.cpp
storage/connect/tabsys.cpp
storage/connect/tabtbl.cpp
storage/connect/tabutil.cpp
storage/connect/tabvct.cpp
storage/connect/tabwmi.cpp
storage/connect/tabxcl.cpp
storage/connect/tabxml.cpp
storage/connect/xindex.cpp
- Prepare indexing of MYSQL/ODBC tables (as does FEDERATED) (Not implemented yet)
modified:
storage/connect/ha_connect.cc
storage/connect/ha_connect.h
storage/connect/mycat.cc
storage/connect/mycat.h
- Typo
modified:
storage/connect/plgdbutl.cpp
in this version. Sure enough, it never caused any improvement in
the execution speed and rather caused a small increase of execution
time. This is probably because values are sorted by rowid in each
range of CONNECT indexes. This could be reconsidered if a customer
have a need for processing very big files.
- Fix a bug in ha_connect::CheckCond. The negated form of BETWEEN and
IS NULL operators was not recognized.
modified:
storage/connect/ha_connect.cc
- Add long jump initialization in CntReadNext. This was causing a server
crash when an error occured in a ReadColumn.
modified:
storage/connect/connect.cc
- General cleanup of CONNECT source code eliminating all code not used by
CONNECT, including the MRR test code (saved separately).
modified:
storage/connect/catalog.h
storage/connect/colblk.cpp
storage/connect/colblk.h
storage/connect/connect.cc
storage/connect/connect.h
storage/connect/domdoc.h
storage/connect/filamap.cpp
storage/connect/filamap.h
storage/connect/filamdbf.h
storage/connect/filamfix.cpp
storage/connect/filamfix.h
storage/connect/filamtxt.cpp
storage/connect/filamtxt.h
storage/connect/filamvct.cpp
storage/connect/filamvct.h
storage/connect/filamzip.cpp
storage/connect/filamzip.h
storage/connect/global.h
storage/connect/ha_connect.cc
storage/connect/ha_connect.h
storage/connect/myconn.h
storage/connect/plgcnx.h
storage/connect/plgdbsem.h
storage/connect/plugutil.c
storage/connect/preparse.h
storage/connect/reldef.cpp
storage/connect/reldef.h
storage/connect/tabcol.h
storage/connect/tabdos.cpp
storage/connect/tabdos.h
storage/connect/tabfix.cpp
storage/connect/tabfmt.cpp
storage/connect/tabfmt.h
storage/connect/table.cpp
storage/connect/tabmac.h
storage/connect/tabmul.h
storage/connect/tabmysql.cpp
storage/connect/tabmysql.h
storage/connect/taboccur.h
storage/connect/tabodbc.cpp
storage/connect/tabodbc.h
storage/connect/tabsys.cpp
storage/connect/tabsys.h
storage/connect/tabtbl.cpp
storage/connect/tabtbl.h
storage/connect/tabutil.h
storage/connect/tabvct.cpp
storage/connect/tabvct.h
storage/connect/tabwmi.cpp
storage/connect/tabwmi.h
storage/connect/tabxml.cpp
storage/connect/tabxml.h
storage/connect/user_connect.cc
storage/connect/user_connect.h
storage/connect/valblk.cpp
storage/connect/valblk.h
storage/connect/value.cpp
storage/connect/value.h
storage/connect/xindex.cpp
storage/connect/xindex.h
storage/connect/xobject.cpp
storage/connect/xobject.h
storage/connect/xtable.h
processing that takes care of:
- Drastically reduce the amount of storge needed to process them.
- Handle longjmp's.
- Makes the line limit an opion (MAXRES)
- Schema can also be specified with the DBNAME option.
- Issue warnings on fetch errors or when result lines have been limited.
- Change some column names to reflect ODBC version 3 standard.
The documentation have been updated accordingly
modified:
storage/connect/filamdbf.cpp
storage/connect/ha_connect.cc
storage/connect/myconn.cpp
storage/connect/mysql-test/connect/r/odbc.result
storage/connect/mysql-test/connect/r/odbc_postgresql.result
storage/connect/mysql-test/connect/r/odbc_sqlite3.result
storage/connect/mysql-test/connect/r/odbc_xls.result
storage/connect/mysql-test/connect/r/xml.result
storage/connect/mysql-test/connect/t/odbc_postgresql.test
storage/connect/odbccat.h
storage/connect/odbconn.cpp
storage/connect/odbconn.h
storage/connect/plgdbsem.h
storage/connect/plgdbutl.cpp
storage/connect/rcmsg.c
storage/connect/tabfmt.cpp
storage/connect/table.cpp
storage/connect/tabodbc.cpp
storage/connect/tabodbc.h
storage/connect/tabutil.cpp
storage/connect/tabwmi.cpp
storage/connect/user_connect.cc
storage/connect/valblk.cpp
storage/connect/valblk.h
storage/connect/value.cpp
modified:
storage/connect/filamtxt.h
storage/connect/filamzip.h
storage/connect/myconn.h
storage/connect/plgdbsem.h
storage/connect/taboccur.h
storage/connect/tabutil.h
storage/connect/tabxcl.h
- Add the possibility to execute several commands in one query of
an EXECSRC tables (using ...where command in (cmd list);)
modified:
storage/connect/ha_connect.cc
storage/connect/odbconn.cpp
storage/connect/odbconn.h
storage/connect/tabmysql.cpp
storage/connect/tabmysql.h
storage/connect/tabodbc.cpp
storage/connect/tabodbc.h
storage/connect/tabtbl.cpp
storage/connect/tabwmi.cpp
storage/connect/xtable.h
- Enhance retrieving column definitions in discovery:
From SRCDEF adding LIMIT 0 to the executed query
Testing if type, length, and precision are compatible
Making the distinction between CHAR and VARCHAR
modified:
storage/connect/ha_connect.cc
storage/connect/myconn.cpp
storage/connect/mysql-test/connect/r/mysql.result
storage/connect/mysql-test/connect/r/odbc_sqlite3.result
storage/connect/mysql-test/connect/r/odbc_sqlite3_grant.result
storage/connect/myutil.h
storage/connect/myutil.h
storage/connect/odbconn.cpp
storage/connect/value.h
information function. This solve the problem of uninitialised zone
that was detected by valgrind.
modified:
storage/connect/myconn.cpp
storage/connect/odbconn.cpp
storage/connect/tabfmt.cpp
storage/connect/tabutil.cpp
storage/connect/tabwmi.cpp
catalog functions have been changed:
Table_types are now internally represented be enum TABTYPE.
Catalog function names are internally translated to a uint.
The function GetTypeID was modified accordingly and a new
function GetFuncID was implemented in mycat.cc.
Modified:
ha_connect.cc
odbccat.h
odbconn.cpp
tabodbc.cpp
tabfmt.cpp
tabmysql.h
tabmysql.cpp
tabwmi.cpp
mycat.h
mycat.cc
plgdbsem.h
reldef.h
tabdos.cpp
rcmsg.h
Modified: ha_connect.cc (MakeRecord)
Moved PlgAllocResult to plgdbutl.cpp
Modified:
mycat.cpp
plgdbutl.cpp
Continuing implementing the "catalog" tables (ex "info").
Already existing were the ODBC data source table and the
WMI column info table.
The common way to handle them was modified to enable each
table types to send personalized data.
Now takes care of all existing catalog functions for table
types that can retrieve and use such information.
Modified:
ha_connect.cc
odbconn.cpp
tabodbc.h
tabodbc.cpp
tabfmt.h
tabfmt.cpp
tabmysql.h
tabmysql.cpp
tabwmi.h
tabwmi.cpp
myconn.h
myconn.cpp
filamdbf.cpp
plgdbsem.h
reldef.h
reldef.cpp
tabdos.h
tabdos.cpp
tabfix.h
xtable.h
table.cpp
included by the program using them.
Continuing implementing the "catalog" tables (ex "info").
Already existing were the ODBC data source table and the
WMI column info table.
A common way to handle them will permit to develop many
other such tables. Implemented:
The ODBC column catalog table.
The ODBC tables catalog table.
The ODBC drivers catalog table.
The INFO table option is replaced by the CATFUNC string option
whode first letter specifies the information to retrieve:
C: Columns (of a table)
T: Tables (of a database)
S: Data sources
D: Drivers
Modified:
ha_connect.cc
odbconn.cpp
odbconn.h
tabodbc.h
tabodbc.cpp
rcmsg.c
tabfmt.h
tabmysql.cpp
tabwmi.cpp
tabwmi.h
resource.h
myconn.h
filamdbf.h
connect.cc
connect.h
Added:
myutil.h
pre_create function and one is now able to create table
without giving the column specifications for tables of types:
DBF, ODBC, MYSQL, CSV, and WMI (on Windows)
modified:
sql/handler.h
sql/sql_table.cc
storage/connect/ha_connect.cc
storage/connect/ha_connect.h
storage/connect/mycat.cc
storage/connect/odbconn.cpp
storage/connect/plgcnx.h
storage/connect/tabfmt.cpp
storage/connect/tabmysql.cpp
storage/connect/tabwmi.cpp
