When the client program had its stdout file descriptor closed by the calling
shell, after some amount of work (enough to fill a socket buffer) the server
would complain about a packet error and then disconnect the client.
This is a serious security problem. If stdout is closed before the mysql is
exec()d, then the first socket() call allocates file number 1 to communicate
with the server. Subsequent write()s to that file number (as when printing
results that come back from the database) go back to the server instead in
the command channel. So, one should be able to craft data which, upon being
selected back from the server to the client, and injected into the command
stream become valid MySQL protocol to do something nasty when sent /back/ to
the server.
The solution is to close explicitly the file descriptor that we *printf() to,
so that the libc layer and the OS layer both agree that the file is closed.
The executing code had a safety assertion so that it refused to free Items
that it didn't create. However, there is a case, undefined user variables,
which would put Items into the list to be freed.
Instead, do something that is more risky in expectation that the code will
be refactored soon, as Kostja wants to do: Remove the assertions from
prepare() and execute(). Put one assertion at a higher level, before
stmt->set_params_from_vars(), which may then create new to-be-freed Items .
(race cond)
It was possible for one thread to interrupt a Data Definition Language
statement and thereby get messages to the binlog out of order. Consider:
Connection 1: Drop Foo x
Connection 2: Create or replace Foo x
Connection 2: Log "Create or replace Foo x"
Connection 1: Log "Drop Foo x"
Local end would have Foo x, but the replicated slaves would not.
The fix for this is to wrap all DDL and logging of a kind in the same mutex.
Since we already use mutexes for the various parts of altering the server,
this only entails moving the logging events down close to the action, inside
the mutex protection.
The STACK_MIN_SIZE is currently set to 8192, when we actually need
(emperically discovered) 9236 bytes to raise an fatal error, on Ubuntu
Dapper Drake, libc6 2.3.6-0ubuntu2, Linux kernel 2.6.15-27-686, on x86.
I'm taking that as a new lower bound, plus 100B of wiggle-room for sundry
word sizes and stack behaviors.
The added test verifies in a cross-platform way that there are no gaps
between the space that we think we need and what we actually need to report
an error.
DOCUMENTERS: This also adds "let" to the mysqltest commands that evaluate
an argument to expand variables therein. (Only right of the "=", of course.)
The patch affects only test suite and has the following changes:
1. On starting Instance Manager -- added code for waiting for guarded
mysqld instances to create PID files;
2. Polishing;
3. Move IM-related operations out of mtr_process.pl into new dedicated
for IM file -- mtr_im.pl
- BUG#15934: Instance manager fails to work;
- BUG#18020: IM connect problem;
- BUG#18027: IM: Server_ID differs;
- BUG#18033: IM: Server_ID not reported;
- BUG#21331: Instance Manager: Connect problems in tests;
The only test suite has been changed
(server codebase has not been modified).
User name (host name) has limit on length. The server code relies on these
limits when storing the names. The problem was that sometimes these limits
were not checked properly, so that could lead to buffer overflow.
The fix is to check length of user/host name in parser and if string is too
long, throw an error.
Logging to logging@openlogging.org accepted
DbtcMain.cpp, testTimeout.cpp:
Bug #11290 TransactionInactiveTimeout = 0 does not result in infinite timeout
Added a test case for bug #11167.
sql_select.cc:
Fixed bug #11167.
In 4.1 char/varchar fields are limited by 255 characters in
length that make them longer than 255 bytes in size for such
character sets as UTF8. The functions store_record_in_cache
and read_cached_records did not take into account this
Moreover the code did not take into account that the size
of the varchar fields in 5.0 can be up to 65535 bytes
- show_msg.inc - displays a message followed by a line of '-' at the length of the messgae
- show_msg80.inc - displays a message followed by a line of '-' with a fixed length of 80
Analyze table corrupts the state on
data_file_length, records, index_file_length...
by writing the shared state when there is an updated internal
state due to inserts or deletes
Fixed by synching the shared state with the internal state before
writing it to disk
Added test cases of 2 error cases and a normal case in new
analyze test case
Fixed bug #9939: a wrong conversion of arguments
for functions COALESCE and IFNULL.
The str_op virtual method was added into Item_func_numhybrid.
item_func.cc:
Fixed bug #9939: a wrong conversion of arguments
for functions COALESCE and IFNULL.
The str_op virtual method was added into Item_func_numhybrid.
item_cmpfunc.h, item_cmpfunc.cc:
Fixed bug #9939: a wrong conversion of arguments
for functions COALESCE and IFNULL.
Item_func_coalesce and Item_func_ifnull now
inherit from a modified Item_func_numhybrid.
case.test, case.result:
Added test cases for bug #9939.
