BUG#24437124: POSSIBLE BUFFER OVERFLOW ON CREATE TABLE

ANALYSIS: ========= 'CREATE TABLE' query with a large value for 'CONNECTION' string reports an incorrect error. The length of connection string is stored in .frm in two bytes (max value= 65535). When the string length exceeds the max value, the length is truncated to fit the two bytes limit. Further processing leads to reading only a part of the string as the length stored is incorrect. The remaining part of the string is treated as engine type and hence results in an error. FIX: ==== We are now restricting the connection string length to 1024. An appropriate error is reported if the length crosses this limit. NOTE: ===== The 'PASSWORD' table option is documented as unused and processed within a dead code. Hence it will not cause similar issue with large strings.

BUG#24437124: POSSIBLE BUFFER OVERFLOW ON CREATE TABLE
ANALYSIS: ========= 'CREATE TABLE' query with a large value for 'CONNECTION' string reports an incorrect error. The length of connection string is stored in .frm in two bytes (max value= 65535). When the string length exceeds the max value, the length is truncated to fit the two bytes limit. Further processing leads to reading only a part of the string as the length stored is incorrect. The remaining part of the string is treated as engine type and hence results in an error. FIX: ==== We are now restricting the connection string length to 1024. An appropriate error is reported if the length crosses this limit. NOTE: ===== The 'PASSWORD' table option is documented as unused and processed within a dead code. Hence it will not cause similar issue with large strings.
a63185e8 · Karthik Kamath · 2f2103d5 · a63185e8 · a63185e8
Commit a63185e8 authored Nov 10, 2016 by Karthik Kamath
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 1 deletion

include/mysql_com.h include/mysql_com.h +2 -1

sql/sql_table.cc sql/sql_table.cc +15 -0

No files found.
--- a/include/mysql_com.h
+++ b/include/mysql_com.h
-/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -26,6 +26,7 @@
 #define USERNAME_CHAR_LENGTH 16
 #define NAME_LEN                (NAME_CHAR_LEN*SYSTEM_CHARSET_MBMAXLEN)
 #define USERNAME_LENGTH         (USERNAME_CHAR_LENGTH*SYSTEM_CHARSET_MBMAXLEN)
+#define CONNECT_STRING_MAXLEN 1024

 #define MYSQL_AUTODETECT_CHARSET_NAME "auto"


--- a/sql/sql_table.cc
+++ b/sql/sql_table.cc
@@ -2851,6 +2851,21 @@ mysql_prepare_create_table(THD *thd, HA_CREATE_INFO *create_info,
  uint total_uneven_bit_length= 0;
  DBUG_ENTER("mysql_prepare_create_table");

+  LEX_STRING* connect_string = &create_info->connect_string;
+  if (connect_string->length != 0 &&
+      connect_string->length > CONNECT_STRING_MAXLEN &&
+      (system_charset_info->cset->charpos(system_charset_info,
+                                          connect_string->str,
+                                          (connect_string->str +
+                                           connect_string->length),
+                                          CONNECT_STRING_MAXLEN)
+      < connect_string->length))
+  {
+    my_error(ER_WRONG_STRING_LENGTH, MYF(0),
+             connect_string->str, "CONNECTION", CONNECT_STRING_MAXLEN);
+    DBUG_RETURN(TRUE);
+  }
+
  select_field_pos= alter_info->create_list.elements - select_field_count;
  null_fields=blob_columns=0;
  create_info->varchar= 0;