Commit 1e2d3c9b authored by unknown's avatar unknown

fix potential security hole, pointed out by Sergei. Also simplify code per Sergei's suggestion.


sql/ha_federated.cc:
  if the mysql_error(mysql) contained any %-format specifiers, my_snprintf would try to interppret them. Essentially replacing printf(str) with printf("%s", str);
sql/ha_federated.h:
  removed unused remote_error_len variable
parent 3b7c799f
...@@ -2616,10 +2616,8 @@ int ha_federated::stash_remote_error() ...@@ -2616,10 +2616,8 @@ int ha_federated::stash_remote_error()
DBUG_ENTER("ha_federated::stash_remote_error()"); DBUG_ENTER("ha_federated::stash_remote_error()");
remote_error_number= mysql_errno(mysql); remote_error_number= mysql_errno(mysql);
const char *remote_error= mysql_error(mysql); const char *remote_error= mysql_error(mysql);
remote_error_len= strlen(remote_error); my_snprintf(remote_error_buf, sizeof(remote_error_buf), "%s",
if(remote_error_len > (sizeof(remote_error_buf) - 1)) mysql_error(mysql));
remote_error_len= (sizeof(remote_error_buf) - 1);
my_snprintf(remote_error_buf, remote_error_len + 1, remote_error);
DBUG_RETURN(HA_FEDERATED_ERROR_WITH_REMOTE_SYSTEM); DBUG_RETURN(HA_FEDERATED_ERROR_WITH_REMOTE_SYSTEM);
} }
...@@ -2633,11 +2631,10 @@ bool ha_federated::get_error_message(int error, String* buf) ...@@ -2633,11 +2631,10 @@ bool ha_federated::get_error_message(int error, String* buf)
buf->append("Error on remote system: "); buf->append("Error on remote system: ");
buf->qs_append(remote_error_number); buf->qs_append(remote_error_number);
buf->append(": "); buf->append(": ");
buf->append(remote_error_buf, remote_error_len); buf->append(remote_error_buf);
remote_error_number= 0; remote_error_number= 0;
remote_error_buf[0]= '\0'; remote_error_buf[0]= '\0';
remote_error_len= 0;
} }
DBUG_PRINT("exit", ("message: %s", buf->ptr())); DBUG_PRINT("exit", ("message: %s", buf->ptr()));
DBUG_RETURN(FALSE); DBUG_RETURN(FALSE);
......
...@@ -159,7 +159,6 @@ class ha_federated: public handler ...@@ -159,7 +159,6 @@ class ha_federated: public handler
MYSQL_ROW_OFFSET current_position; // Current position used by ::position() MYSQL_ROW_OFFSET current_position; // Current position used by ::position()
int remote_error_number; int remote_error_number;
char remote_error_buf[FEDERATED_QUERY_BUFFER_SIZE]; char remote_error_buf[FEDERATED_QUERY_BUFFER_SIZE];
uint remote_error_len;
private: private:
/* /*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment