Commit 1746eeda authored by unknown's avatar unknown

fix potential security hole, pointed out by Sergei. Also simplify code per Sergei's suggestion.


sql/ha_federated.cc:
  if the mysql_error(mysql) contained any %-format specifiers, my_snprintf would try to interppret them. Essentially replacing printf(str) with printf("%s", str);
sql/ha_federated.h:
  removed unused remote_error_len variable
parent 5dd9ff3e
......@@ -2616,10 +2616,8 @@ int ha_federated::stash_remote_error()
DBUG_ENTER("ha_federated::stash_remote_error()");
remote_error_number= mysql_errno(mysql);
const char *remote_error= mysql_error(mysql);
remote_error_len= strlen(remote_error);
if(remote_error_len > (sizeof(remote_error_buf) - 1))
remote_error_len= (sizeof(remote_error_buf) - 1);
my_snprintf(remote_error_buf, remote_error_len + 1, remote_error);
my_snprintf(remote_error_buf, sizeof(remote_error_buf), "%s",
mysql_error(mysql));
DBUG_RETURN(HA_FEDERATED_ERROR_WITH_REMOTE_SYSTEM);
}
......@@ -2633,11 +2631,10 @@ bool ha_federated::get_error_message(int error, String* buf)
buf->append("Error on remote system: ");
buf->qs_append(remote_error_number);
buf->append(": ");
buf->append(remote_error_buf, remote_error_len);
buf->append(remote_error_buf);
remote_error_number= 0;
remote_error_buf[0]= '\0';
remote_error_len= 0;
}
DBUG_PRINT("exit", ("message: %s", buf->ptr()));
DBUG_RETURN(FALSE);
......
......@@ -159,7 +159,6 @@ class ha_federated: public handler
MYSQL_ROW_OFFSET current_position; // Current position used by ::position()
int remote_error_number;
char remote_error_buf[FEDERATED_QUERY_BUFFER_SIZE];
uint remote_error_len;
private:
/*
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment