Commit 0c68c328 authored by He Zhenxing's avatar He Zhenxing

BUG#52748 Semi-Sync ACK packet isn't check for length

Check the length and use strncpy to make the code safer.
parents e3ff5250 27903a5e
...@@ -602,7 +602,11 @@ source include/stop_slave.inc; ...@@ -602,7 +602,11 @@ source include/stop_slave.inc;
UNINSTALL PLUGIN rpl_semi_sync_slave; UNINSTALL PLUGIN rpl_semi_sync_slave;
connection master; connection master;
# The dump thread may still be running on the master, and so the following
# UNINSTALL could generate a warning about the plugin is busy.
disable_warnings;
UNINSTALL PLUGIN rpl_semi_sync_master; UNINSTALL PLUGIN rpl_semi_sync_master;
enable_warnings;
connection slave; connection slave;
source include/start_slave.inc; source include/start_slave.inc;
......
...@@ -147,7 +147,8 @@ int ActiveTranx::insert_tranx_node(const char *log_file_name, ...@@ -147,7 +147,8 @@ int ActiveTranx::insert_tranx_node(const char *log_file_name,
} }
/* insert the binlog position in the active transaction list. */ /* insert the binlog position in the active transaction list. */
strcpy(ins_node->log_name_, log_file_name); strncpy(ins_node->log_name_, log_file_name, FN_REFLEN-1);
ins_node->log_name_[FN_REFLEN-1] = 0; /* make sure it ends properly */
ins_node->log_pos_ = log_file_pos; ins_node->log_pos_ = log_file_pos;
if (!trx_front_) if (!trx_front_)
...@@ -1009,13 +1010,15 @@ int ReplSemiSyncMaster::writeTranxInBinlog(const char* log_file_name, ...@@ -1009,13 +1010,15 @@ int ReplSemiSyncMaster::writeTranxInBinlog(const char* log_file_name,
if (cmp > 0) if (cmp > 0)
{ {
/* This is a larger position, let's update the maximum info. */ /* This is a larger position, let's update the maximum info. */
strcpy(commit_file_name_, log_file_name); strncpy(commit_file_name_, log_file_name, FN_REFLEN-1);
commit_file_name_[FN_REFLEN-1] = 0; /* make sure it ends properly */
commit_file_pos_ = log_file_pos; commit_file_pos_ = log_file_pos;
} }
} }
else else
{ {
strcpy(commit_file_name_, log_file_name); strncpy(commit_file_name_, log_file_name, FN_REFLEN-1);
commit_file_name_[FN_REFLEN-1] = 0; /* make sure it ends properly */
commit_file_pos_ = log_file_pos; commit_file_pos_ = log_file_pos;
commit_file_name_inited_ = true; commit_file_name_inited_ = true;
} }
...@@ -1048,6 +1051,7 @@ int ReplSemiSyncMaster::readSlaveReply(NET *net, uint32 server_id, ...@@ -1048,6 +1051,7 @@ int ReplSemiSyncMaster::readSlaveReply(NET *net, uint32 server_id,
const unsigned char *packet; const unsigned char *packet;
char log_file_name[FN_REFLEN]; char log_file_name[FN_REFLEN];
my_off_t log_file_pos; my_off_t log_file_pos;
ulong log_file_len = 0;
ulong packet_len; ulong packet_len;
int result = -1; int result = -1;
...@@ -1123,7 +1127,13 @@ int ReplSemiSyncMaster::readSlaveReply(NET *net, uint32 server_id, ...@@ -1123,7 +1127,13 @@ int ReplSemiSyncMaster::readSlaveReply(NET *net, uint32 server_id,
} }
log_file_pos = uint8korr(packet + REPLY_BINLOG_POS_OFFSET); log_file_pos = uint8korr(packet + REPLY_BINLOG_POS_OFFSET);
strcpy(log_file_name, (const char*)packet + REPLY_BINLOG_NAME_OFFSET); log_file_len = packet_len - REPLY_BINLOG_NAME_OFFSET;
if (log_file_len > FN_REFLEN)
{
sql_print_error("Read semi-sync reply binlog file length too large");
goto l_end;
}
strncpy(log_file_name, (const char*)packet + REPLY_BINLOG_NAME_OFFSET, log_file_len);
if (trc_level & kTraceDetail) if (trc_level & kTraceDetail)
sql_print_information("%s: Got reply (%s, %lu)", sql_print_information("%s: Got reply (%s, %lu)",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment