Commit 11493dfd authored by Kristofer Pettersson's avatar Kristofer Pettersson

Bug#40778 thd_security_context has bad architecture; allocates on unprotected memroot

                  
The function thd_security_context allocates memory on an unprotected MEM_ROOT if the
message length becomes longer than requested and the initial buffer memory needs to
be reallocated.
                  
This patch fixes the design error by copying parts of the reallocated buffer 
to the destination buffer. This works because the destination buffer isn't
owned by the String object and thus isn't freed when a new buffer is allocated.
Any new memory allocated by the String object is reclaimed when the object
is destroyed at the end of the function call.
parent 95007f5e
...@@ -311,7 +311,7 @@ void thd_inc_row_count(THD *thd) ...@@ -311,7 +311,7 @@ void thd_inc_row_count(THD *thd)
Dumps a text description of a thread, its security context Dumps a text description of a thread, its security context
(user, host) and the current query. (user, host) and the current query.
@param thd current thread context @param thd thread context
@param buffer pointer to preferred result buffer @param buffer pointer to preferred result buffer
@param length length of buffer @param length length of buffer
@param max_query_len how many chars of query to copy (0 for all) @param max_query_len how many chars of query to copy (0 for all)
...@@ -385,7 +385,17 @@ char *thd_security_context(THD *thd, char *buffer, unsigned int length, ...@@ -385,7 +385,17 @@ char *thd_security_context(THD *thd, char *buffer, unsigned int length,
} }
if (str.c_ptr_safe() == buffer) if (str.c_ptr_safe() == buffer)
return buffer; return buffer;
return thd->strmake(str.ptr(), str.length());
/*
We have to copy the new string to the destination buffer because the string
was reallocated to a larger buffer to be able to fit.
*/
DBUG_ASSERT(buffer != NULL);
length= min(str.length(), length-1);
memcpy(buffer, str.c_ptr_quick(), length);
/* Make sure that the new string is null terminated */
buffer[length]= '\0';
return buffer;
} }
/** /**
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment