Commit 4d9cc3db authored by unknown's avatar unknown

Bug#24924: shared-memory-base-name that is too long causes buffer overflow

long shared-memory-base-names could overflow a static internal buffer
and thus crash mysqld and various clients.  change both to dynamic
buffers, show everything but overflowing those buffers still works.

The test case for this would pretty much amount to
mysqld --shared-memory-base-name=HeyMrBaseNameXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --shared-memory=1 &
mysqladmin --no-defaults --shared-memory-base-name=HeyMrBaseNameXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX shutdown

Unfortunately, we can't just use an .opt file for the
server. The .opt file is used at start-up, before any
include in the actual test can tell mysqltest to skip
this one on non-Windows. As a result, such a test would
break on unices.

Fixing mysql-test-run.pl to export full path for master
and slave would enable us to start a server from within
the test which is ugly and, what's more, doesn't work as
the server blocks (mysqltest offers no fire-and-forget
fork-and-exec), and mysqladmin never gets run.

Making the test rpl_windows_shm or some such so we can
is beyond ugly. As is introducing another file-name based
special case (run "win*.test" only when on Windows). As is
(yuck) coding half the test into mtr (as in, having it
hand out a customized environment conductive to the shm-
thing on Win only).

Situation is exacerbated by the fact that .sh is not
necessary run as expected on Win.

In short, it's just not worth it. No test-case until we
have a new-and-improved test framework.


sql-common/client.c:
  Bug#24924: shared-memory-base-name that is too long causes buffer overflow
  
  compose shared memory name in dynamic rather than static buffer to prevent
  overflows (clients)
sql/mysqld.cc:
  Bug#24924: shared-memory-base-name that is too long causes buffer overflow
  
  compose shared memory name in dynamic rather than static buffer to prevent
  overflows (server)
parent bfc61f2e
......@@ -402,13 +402,19 @@ HANDLE create_shared_memory(MYSQL *mysql,NET *net, uint connect_timeout)
HANDLE handle_file_map = NULL;
ulong connect_number;
char connect_number_char[22], *p;
char tmp[64];
char *tmp= NULL;
char *suffix_pos;
DWORD error_allow = 0;
DWORD error_code = 0;
DWORD event_access_rights= SYNCHRONIZE | EVENT_MODIFY_STATE;
char *shared_memory_base_name = mysql->options.shared_memory_base_name;
/*
get enough space base-name + '_' + longest suffix we might ever send
*/
if (!(tmp= (char *)my_malloc(strlen(shared_memory_base_name) + 32L, MYF(MY_FAE))))
goto err;
/*
The name of event and file-mapping events create agree next rule:
shared_memory_base_name+unique_part
......@@ -551,6 +557,8 @@ HANDLE create_shared_memory(MYSQL *mysql,NET *net, uint connect_timeout)
CloseHandle(handle_file_map);
}
err:
if (tmp)
my_free(tmp, MYF(0));
if (error_allow)
error_code = GetLastError();
if (event_connect_request)
......
......@@ -4420,7 +4420,7 @@ pthread_handler_t handle_connections_shared_memory(void *arg)
HANDLE event_connect_answer= 0;
ulong smem_buffer_length= shared_memory_buffer_length + 4;
ulong connect_number= 1;
char tmp[63];
char *tmp= NULL;
char *suffix_pos;
char connect_number_char[22], *p;
const char *errmsg= 0;
......@@ -4429,6 +4429,12 @@ pthread_handler_t handle_connections_shared_memory(void *arg)
DBUG_ENTER("handle_connections_shared_memorys");
DBUG_PRINT("general",("Waiting for allocated shared memory."));
/*
get enough space base-name + '_' + longest suffix we might ever send
*/
if (!(tmp= (char *)my_malloc(strlen(shared_memory_base_name) + 32L, MYF(MY_FAE))))
goto error;
if (my_security_attr_create(&sa_event, &errmsg,
GENERIC_ALL, SYNCHRONIZE | EVENT_MODIFY_STATE))
goto error;
......@@ -4616,6 +4622,9 @@ pthread_handler_t handle_connections_shared_memory(void *arg)
/* End shared memory handling */
error:
if (tmp)
my_free(tmp, MYF(0));
if (errmsg)
{
char buff[180];
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment