Commit 5829ac20 authored by Dmitry Shulga's avatar Dmitry Shulga

Fixed bug#11840395 (formerly known as bug#60347: THE STRING "VERSIONDATA"

SEEMS TO BE 'LEAKING' INTO THE SCHEMA NAME SPACE)
and bug#12428824 (Parser stack overflow and crash in sp_add_used_routine
with obscure query).

The first problem was that attempts to call a stored function by
its fully qualified name ended up with unwarranted error "ERROR 1305
(42000): FUNCTION someMixedCaseDb.my_function_name does not exist"
if this function belonged to a schema that had uppercase letters in
its name AND --lower_case_table_names was equal to either 1 or 2.

The second problem was that 5.5 version of MySQL server might have
crashed when a user tried to call stored function with too long name
or too long database name (i.e if a function and database name combined
occupied more than 2*3*64 bytes in utf8). This issue didn't affect
versions of server < 5.5.
 
The first problem was caused by the fact that in cases when a stored
function was called by its fully qualified name we didn't lowercase
name of its schema before performing look up of the function in
mysql.proc table even although lower_case_table_names mode was on.
As result we were unable to find this function since during its
creation we store lowercased version of schema name in the system
table in this mode and field for schema name uses binary collation.

Calls to stored functions were unaffected by this problem since for
them schema name is converted to lowercase as necessary.

The reason for the second bug was that MySQL Server didn't check length
of function name and database name before proceeding with execution of
stored function. As a consequence too long database name or function
name caused buffer overruns in places where the code assumes that their
length is within fixed limits, like mdl_key_init() in 5.5.

Again this issue didn't affect calls to stored procedures as for them
length of schema name and procedure name are properly checked.

This patch fixes both these bugs by adding calls to check_db_name()
and check_routine_name() to grammar rule which corresponds to a call
to a stored function. These functions ensure that length of database
name and function name for routine called is within standard limit.
Moreover call to check_db_name() handles conversion of database name
to lowercase if --lower_case_table_names mode is on.

Note that even although the second issue seems to be only reproducible
in 5.5 we still add code fixing it to 5.1 to be on the safe side (and
make code a bit more robust against possible future changes).

mysql-test/r/sp-error.result:
  Added testcase results for bug#12428824.
mysql-test/r/sp.result:
  Added testcase result for bug#11840395.
mysql-test/t/sp-error.test:
  Added testcase for bug#12428824.
mysql-test/t/sp.test:
  Added testcase for bug#11840395.
sql/sql_yacc.yy:
  Modified 'function_call_generic' rule to call check_db_name() and
  check_routine_name() in order to ensure that lengths of database name
  and function name are within limits. check_db_name() is also responsible
  for normalizing function's database name for lookup in cases when
  lowercase_table_names mode is on.
parent 9325f792
...@@ -1685,4 +1685,20 @@ ERROR HY000: View 'test.v1' references invalid table(s) or column(s) or function ...@@ -1685,4 +1685,20 @@ ERROR HY000: View 'test.v1' references invalid table(s) or column(s) or function
DROP PROCEDURE p1; DROP PROCEDURE p1;
DROP VIEW v1; DROP VIEW v1;
DROP TABLE t1; DROP TABLE t1;
#
# Bug#12428824 - PARSER STACK OVERFLOW AND CRASH IN SP_ADD_USED_ROUTINE
# WITH OBSCURE QUERY
#
SELECT very_long_fn_name_1111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225555555555555555555555555577777777777777777777777777777777777777777777777777777777777777777777777788888888999999999999999999999();
ERROR 42000: Identifier name 'very_long_fn_name_1111111111111111111111111111111111111111111111111111111111111111111111111222222222' is too long
CALL very_long_pr_name_1111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225555555555555555555555555577777777777777777777777777777777777777777777777777777777777777777777777788888888999999999999999999999();
ERROR 42000: Identifier name 'very_long_pr_name_1111111111111111111111111111111111111111111111111111111111111111111111111222222222' is too long
SELECT very_long_db_name_1111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225555555555555555555555555577777777777777777777777777777777777777777777777777777777777777777777777788888888999999999999999999999.simple_func();
ERROR 42000: Incorrect database name 'very_long_db_name_1111111111111111111111111111111111111111111111111111111111111111111111111222222222'
CALL very_long_db_name_1111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225555555555555555555555555577777777777777777777777777777777777777777777777777777777777777777777777788888888999999999999999999999.simple_proc();
ERROR 42000: Incorrect database name 'very_long_db_name_1111111111111111111111111111111111111111111111111111111111111111111111111222222222'
SELECT db_name.very_long_fn_name_111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222999999999999999999999();
ERROR 42000: Identifier name 'very_long_fn_name_1111111111111111111111111111111111111111111111111111111111111111111111111222222222' is too long
CALL db_name.very_long_pr_name_111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222999999999999999999999();
ERROR 42000: Identifier name 'very_long_pr_name_1111111111111111111111111111111111111111111111111111111111111111111111111222222222' is too long
End of 5.1 tests End of 5.1 tests
...@@ -7053,6 +7053,21 @@ init_connect ...@@ -7053,6 +7053,21 @@ init_connect
SET @@GLOBAL.init_connect= @old_init_connect; SET @@GLOBAL.init_connect= @old_init_connect;
DROP PROCEDURE p2; DROP PROCEDURE p2;
DROP PROCEDURE p5; DROP PROCEDURE p5;
#
# Bug#11840395 (formerly known as bug#60347):
# The string "versiondata" seems to be 'leaking' into the schema name space
# to be 'leaking' into the schema name space
#
DROP DATABASE IF EXISTS mixedCaseDbName;
CREATE DATABASE mixedCaseDbName;
CREATE PROCEDURE mixedCaseDbName.tryMyProc() begin end|
CREATE FUNCTION mixedCaseDbName.tryMyFunc() returns text begin return 'IT WORKS'; end
|
call mixedCaseDbName.tryMyProc();
select mixedCaseDbName.tryMyFunc();
mixedCaseDbName.tryMyFunc()
IT WORKS
DROP DATABASE mixedCaseDbName;
# ------------------------------------------------------------------ # ------------------------------------------------------------------
# -- End of 5.1 tests # -- End of 5.1 tests
# ------------------------------------------------------------------ # ------------------------------------------------------------------
...@@ -2471,4 +2471,26 @@ DROP PROCEDURE p1; ...@@ -2471,4 +2471,26 @@ DROP PROCEDURE p1;
DROP VIEW v1; DROP VIEW v1;
DROP TABLE t1; DROP TABLE t1;
--echo #
--echo # Bug#12428824 - PARSER STACK OVERFLOW AND CRASH IN SP_ADD_USED_ROUTINE
--echo # WITH OBSCURE QUERY
--echo #
--error ER_TOO_LONG_IDENT
SELECT very_long_fn_name_1111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225555555555555555555555555577777777777777777777777777777777777777777777777777777777777777777777777788888888999999999999999999999();
--error ER_TOO_LONG_IDENT
CALL very_long_pr_name_1111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225555555555555555555555555577777777777777777777777777777777777777777777777777777777777777777777777788888888999999999999999999999();
--error ER_WRONG_DB_NAME
SELECT very_long_db_name_1111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225555555555555555555555555577777777777777777777777777777777777777777777777777777777777777777777777788888888999999999999999999999.simple_func();
--error ER_WRONG_DB_NAME
CALL very_long_db_name_1111111111111111111111111111111111111111111111111111111111111111111111111222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222225555555555555555555555555577777777777777777777777777777777777777777777777777777777777777777777777788888888999999999999999999999.simple_proc();
--error ER_TOO_LONG_IDENT
SELECT db_name.very_long_fn_name_111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222999999999999999999999();
--error ER_TOO_LONG_IDENT
CALL db_name.very_long_pr_name_111111111111111111111111111111111111111111111111111111111111111111111111122222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222999999999999999999999();
--echo End of 5.1 tests --echo End of 5.1 tests
...@@ -8350,6 +8350,24 @@ SET @@GLOBAL.init_connect= @old_init_connect; ...@@ -8350,6 +8350,24 @@ SET @@GLOBAL.init_connect= @old_init_connect;
DROP PROCEDURE p2; DROP PROCEDURE p2;
DROP PROCEDURE p5; DROP PROCEDURE p5;
--echo #
--echo # Bug#11840395 (formerly known as bug#60347):
--echo # The string "versiondata" seems to be 'leaking' into the schema name space
--echo # to be 'leaking' into the schema name space
--echo #
--disable_warnings
DROP DATABASE IF EXISTS mixedCaseDbName;
--enable_warnings
CREATE DATABASE mixedCaseDbName;
DELIMITER |;
CREATE PROCEDURE mixedCaseDbName.tryMyProc() begin end|
CREATE FUNCTION mixedCaseDbName.tryMyFunc() returns text begin return 'IT WORKS'; end
|
DELIMITER ;|
call mixedCaseDbName.tryMyProc();
select mixedCaseDbName.tryMyFunc();
DROP DATABASE mixedCaseDbName;
--echo # ------------------------------------------------------------------ --echo # ------------------------------------------------------------------
--echo # -- End of 5.1 tests --echo # -- End of 5.1 tests
--echo # ------------------------------------------------------------------ --echo # ------------------------------------------------------------------
...@@ -8020,6 +8020,11 @@ function_call_generic: ...@@ -8020,6 +8020,11 @@ function_call_generic:
Create_func *builder; Create_func *builder;
Item *item= NULL; Item *item= NULL;
if (check_routine_name(&$1))
{
MYSQL_YYABORT;
}
/* /*
Implementation note: Implementation note:
names are resolved with the following order: names are resolved with the following order:
...@@ -8083,6 +8088,16 @@ function_call_generic: ...@@ -8083,6 +8088,16 @@ function_call_generic:
version() (a vendor can specify any schema). version() (a vendor can specify any schema).
*/ */
if (!$1.str || check_db_name(&$1))
{
my_error(ER_WRONG_DB_NAME, MYF(0), $1.str);
MYSQL_YYABORT;
}
if (check_routine_name(&$3))
{
MYSQL_YYABORT;
}
builder= find_qualified_function_builder(thd); builder= find_qualified_function_builder(thd);
DBUG_ASSERT(builder); DBUG_ASSERT(builder);
item= builder->create(thd, $1, $3, true, $5); item= builder->create(thd, $1, $3, true, $5);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment