The server could be tricked to read packets indefinitely if it
received a packet larger than the maximum size of one packet.
This problem is aggravated by the fact that it can be triggered
before authentication.
The solution is to no skip big packets for non-authenticated
sessions. If a big packet is sent before a session is authen-
ticated, a error is returned and the connection is closed.
include/mysql_com.h:
Add skip flag. Only used in server builds.
sql/net_serv.cc:
Control whether big packets can be skipped.
Problem: "COM_FIELD_LIST is an old command of the MySQL server, before there was real move to only
SQL. Seems that the data sent to COM_FIELD_LIST( mysql_list_fields() function) is not
checked for sanity. By sending long data for the table a buffer is overflown, which can
be used deliberately to include code that harms".
Fix: check incoming data length.
sql/sql_parse.cc:
Fix for bug #53237: mysql_list_fields/COM_FIELD_LIST stack smashing
- check incoming mysql_list_fields() table name arg length.
This is branches/zip@r6032 in SVN and _is part_ of
revid:svn-v4:16c675df-0fcb-4bc9-8058-dcc011a37293:branches/zip:6113
in BZR.
This is being reverted because now the code is serialized directly on
index->stat_n_diff_key_vals[] as the fix for
Bug#53046 dict_update_statistics_low can still be run concurrently on same table
goes.
on same table
Protect dict_index_t::stat_n_diff_key_vals[] with an array of
mutexes.
Testing: tested all code paths under UNIV_SYNC_DEBUG
for the one in dict_print() one has to enable the InnoDB table monitor:
CREATE TABLE innodb_table_monitor (a int) ENGINE=INNODB;
------------------------------------------------------------------------
r6103 | marko | 2009-10-26 15:46:18 +0200 (Mon, 26 Oct 2009) | 4 lines
Changed paths:
M /branches/zip/row/row0ins.c
branches/zip: row_ins_alloc_sys_fields(): Zero out the system columns
DB_TRX_ID, DB_ROLL_PTR and DB_ROW_ID, in order to avoid harmless
Valgrind warnings about uninitialized data. (The warnings were
harmless, because the fields would be initialized at a later stage.)
------------------------------------------------------------------------
Extract part of innodb.innodb into innodb.innodb_misc1
This is needed in order to be able to more easily debug this test,
under valgrind, it is too huge.
The problem was in an incorrect debug assertion. The expression
used in the failing assertion states that when finding
references matching ORDER BY expressions, there can be only one
reference to a single table. But that does not make any sense,
all test cases for this bug are valid examples with multiple
identical WHERE expressions referencing the same table which
are also present in the ORDER BY list.
Fixed by removing the failing assertion. We also have to take
care of the 'found' counter so that we count multiple
references only once. We rely on this fact later in
eq_ref_table().
mysql-test/r/join.result:
Added a test case for bug #50335.
mysql-test/t/join.test:
Added a test case for bug #50335.
sql/sql_select.cc:
Removing the assertion in eq_ref_table() as it does not make
any sense. We also have to take care of the 'found' counter so
that we count multiple references only once. We rely on this
fact later in eq_ref_table().
When row_merge_drop_temp_indexes() was reworked to drop the indexes
via the data dictionary cache, the code was broken because it would
read the index name from the wrong field.
btr_page_tuple_smaller(): New function, refactored from
btr_page_split_and_insert().
btr_page_get_split_rec(): Renamed from btr_page_get_sure_split_rec().
Note that a NULL return may mean that the tuple is to be inserted into
either the lower or upper page, to be determined by btr_page_tuple_smaller().
btr_page_split_and_insert(): When btr_page_get_split_rec() returns NULL,
invoke btr_page_tuple_smaller() to determine which half-page the tuple
belongs to.
Reviewed by Sunny Bains
indexed BLOBs for ROW_FORMAT=DYNAMIC and ROW_FORMAT_COMPRESSED tables
(Bug #52746). In these tables, the locally stored prefix of a BLOB can
be as small as 20 bytes (BTR_EXTERN_FIELD_REF_SIZE). ROW_FORMAT=REDUNDANT
and ROW_FORMAT=COMPACT store a prefix of 768 bytes (REC_MAX_INDEX_COL_LEN).
trx_undo_rec_get_col_val(): Relax the ut_ad() assertion and add a
reference to dtuple_convert_big_rec().
trx_undo_rec_get_partial_row(): Relax the ut_a() assertion that
prompted Bug #52746.
