Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
M
MariaDB
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Analytics
Analytics
CI / CD
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
nexedi
MariaDB
Commits
26f03b0b
Commit
26f03b0b
authored
Oct 30, 2007
by
davi@moksha.com.br
Browse files
Options
Browse Files
Download
Plain Diff
Merge moksha.local:/Users/davi/mysql/bugs/31669-5.0
into moksha.local:/Users/davi/mysql/mysql-5.0-runtime
parents
6d15d42e
dac55f09
Changes
2
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
98 additions
and
3 deletions
+98
-3
libmysql/libmysql.c
libmysql/libmysql.c
+4
-3
tests/mysql_client_test.c
tests/mysql_client_test.c
+94
-0
No files found.
libmysql/libmysql.c
View file @
26f03b0b
...
@@ -706,7 +706,8 @@ int cli_read_change_user_result(MYSQL *mysql, char *buff, const char *passwd)
...
@@ -706,7 +706,8 @@ int cli_read_change_user_result(MYSQL *mysql, char *buff, const char *passwd)
my_bool
STDCALL
mysql_change_user
(
MYSQL
*
mysql
,
const
char
*
user
,
my_bool
STDCALL
mysql_change_user
(
MYSQL
*
mysql
,
const
char
*
user
,
const
char
*
passwd
,
const
char
*
db
)
const
char
*
passwd
,
const
char
*
db
)
{
{
char
buff
[
512
],
*
end
=
buff
;
char
buff
[
USERNAME_LENGTH
+
SCRAMBLED_PASSWORD_CHAR_LENGTH
+
NAME_LEN
+
2
];
char
*
end
=
buff
;
int
rc
;
int
rc
;
DBUG_ENTER
(
"mysql_change_user"
);
DBUG_ENTER
(
"mysql_change_user"
);
...
@@ -716,7 +717,7 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
...
@@ -716,7 +717,7 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
passwd
=
""
;
passwd
=
""
;
/* Store user into the buffer */
/* Store user into the buffer */
end
=
strmov
(
end
,
user
)
+
1
;
end
=
strmake
(
end
,
user
,
USERNAME_LENGTH
)
+
1
;
/* write scrambled password according to server capabilities */
/* write scrambled password according to server capabilities */
if
(
passwd
[
0
])
if
(
passwd
[
0
])
...
@@ -736,7 +737,7 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
...
@@ -736,7 +737,7 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
else
else
*
end
++=
'\0'
;
/* empty password */
*
end
++=
'\0'
;
/* empty password */
/* Add database if needed */
/* Add database if needed */
end
=
strm
ov
(
end
,
db
?
db
:
""
)
+
1
;
end
=
strm
ake
(
end
,
db
?
db
:
""
,
NAME_LEN
)
+
1
;
/* Write authentication package */
/* Write authentication package */
simple_command
(
mysql
,
COM_CHANGE_USER
,
buff
,(
ulong
)
(
end
-
buff
),
1
);
simple_command
(
mysql
,
COM_CHANGE_USER
,
buff
,(
ulong
)
(
end
-
buff
),
1
);
...
...
tests/mysql_client_test.c
View file @
26f03b0b
...
@@ -15864,6 +15864,99 @@ static void test_bug29306()
...
@@ -15864,6 +15864,99 @@ static void test_bug29306()
DBUG_VOID_RETURN
;
DBUG_VOID_RETURN
;
}
}
/**
Bug#31669 Buffer overflow in mysql_change_user()
*/
#define LARGE_BUFFER_SIZE 2048
static
void
test_bug31669
()
{
int
rc
;
static
char
buff
[
LARGE_BUFFER_SIZE
+
1
];
#ifndef EMBEDDED_LIBRARY
static
char
user
[
USERNAME_LENGTH
+
1
];
static
char
db
[
NAME_LEN
+
1
];
static
char
query
[
LARGE_BUFFER_SIZE
*
2
];
#endif
DBUG_ENTER
(
"test_bug31669"
);
myheader
(
"test_bug31669"
);
rc
=
mysql_change_user
(
mysql
,
NULL
,
NULL
,
NULL
);
DIE_UNLESS
(
rc
);
rc
=
mysql_change_user
(
mysql
,
""
,
""
,
""
);
DIE_UNLESS
(
rc
);
memset
(
buff
,
'a'
,
sizeof
(
buff
));
rc
=
mysql_change_user
(
mysql
,
buff
,
buff
,
buff
);
DIE_UNLESS
(
rc
);
rc
=
mysql_change_user
(
mysql
,
opt_user
,
opt_password
,
current_db
);
DIE_UNLESS
(
!
rc
);
#ifndef EMBEDDED_LIBRARY
memset
(
db
,
'a'
,
sizeof
(
db
));
db
[
NAME_LEN
]
=
0
;
strxmov
(
query
,
"CREATE DATABASE IF NOT EXISTS "
,
db
,
NullS
);
rc
=
mysql_query
(
mysql
,
query
);
myquery
(
rc
);
memset
(
user
,
'b'
,
sizeof
(
user
));
user
[
USERNAME_LENGTH
]
=
0
;
memset
(
buff
,
'c'
,
sizeof
(
buff
));
buff
[
LARGE_BUFFER_SIZE
]
=
0
;
strxmov
(
query
,
"GRANT ALL PRIVILEGES ON *.* TO '"
,
user
,
"'@'%' IDENTIFIED BY "
"'"
,
buff
,
"' WITH GRANT OPTION"
,
NullS
);
rc
=
mysql_query
(
mysql
,
query
);
myquery
(
rc
);
rc
=
mysql_query
(
mysql
,
"FLUSH PRIVILEGES"
);
myquery
(
rc
);
rc
=
mysql_change_user
(
mysql
,
user
,
buff
,
db
);
DIE_UNLESS
(
!
rc
);
user
[
USERNAME_LENGTH
-
1
]
=
'a'
;
rc
=
mysql_change_user
(
mysql
,
user
,
buff
,
db
);
DIE_UNLESS
(
rc
);
user
[
USERNAME_LENGTH
-
1
]
=
'b'
;
buff
[
LARGE_BUFFER_SIZE
-
1
]
=
'd'
;
rc
=
mysql_change_user
(
mysql
,
user
,
buff
,
db
);
DIE_UNLESS
(
rc
);
buff
[
LARGE_BUFFER_SIZE
-
1
]
=
'c'
;
db
[
NAME_LEN
-
1
]
=
'e'
;
rc
=
mysql_change_user
(
mysql
,
user
,
buff
,
db
);
DIE_UNLESS
(
rc
);
db
[
NAME_LEN
-
1
]
=
'a'
;
rc
=
mysql_change_user
(
mysql
,
user
,
buff
,
db
);
DIE_UNLESS
(
!
rc
);
rc
=
mysql_change_user
(
mysql
,
user
+
1
,
buff
+
1
,
db
+
1
);
DIE_UNLESS
(
rc
);
rc
=
mysql_change_user
(
mysql
,
opt_user
,
opt_password
,
current_db
);
DIE_UNLESS
(
!
rc
);
strxmov
(
query
,
"DROP DATABASE "
,
db
,
NullS
);
rc
=
mysql_query
(
mysql
,
query
);
myquery
(
rc
);
strxmov
(
query
,
"DELETE FROM mysql.user WHERE User='"
,
user
,
"'"
,
NullS
);
rc
=
mysql_query
(
mysql
,
query
);
myquery
(
rc
);
DIE_UNLESS
(
mysql_affected_rows
(
mysql
)
==
1
);
#endif
DBUG_VOID_RETURN
;
}
/*
/*
Read and parse arguments and MySQL options from my.cnf
Read and parse arguments and MySQL options from my.cnf
*/
*/
...
@@ -16156,6 +16249,7 @@ static struct my_tests_st my_tests[]= {
...
@@ -16156,6 +16249,7 @@ static struct my_tests_st my_tests[]= {
{
"test_bug27592"
,
test_bug27592
},
{
"test_bug27592"
,
test_bug27592
},
{
"test_bug29948"
,
test_bug29948
},
{
"test_bug29948"
,
test_bug29948
},
{
"test_bug29306"
,
test_bug29306
},
{
"test_bug29306"
,
test_bug29306
},
{
"test_bug31669"
,
test_bug31669
},
{
0
,
0
}
{
0
,
0
}
};
};
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment