sql_parse.cc:

  buffer overflow and information exposure bugs fixed
  (reported by Stefano Di Paola)
configure.in:
  Changed version to 5.0.17b


configure.in:
  Changed version to 5.0.17b
sql/sql_parse.cc:
  buffer overflow and information exposure bugs fixed
  (reported by Stefano Di Paola)

configure.in

@@ -7,7 +7,7 @@ AC_INIT(sql/mysqld.cc)
 AC_CANONICAL_SYSTEM
 # The Docs Makefile.am parses this line!
 # remember to also change ndb version below and update version.c in ndb
-AM_INIT_AUTOMAKE(mysql, 5.0.17a)
+AM_INIT_AUTOMAKE(mysql, 5.0.17b)
 AM_CONFIG_HEADER(config.h)
 
 PROTOCOL_VERSION=10

sql/sql_parse.cc

@@ -1006,13 +1006,20 @@ static int check_connection(THD *thd)
     *passwd++ : strlen(passwd);
   db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
     db + passwd_len + 1 : 0;
+  uint db_len= db ? strlen(db) : 0;
+
+  if (passwd + passwd_len + db_len > (char *)net->read_pos + pkt_len)
+  {
+    inc_host_errors(&thd->remote.sin_addr);
+    return ER_HANDSHAKE_ERROR;
+  }
 
   /* Since 4.1 all database names are stored in utf8 */
   if (db)
   {
     db_buff[copy_and_convert(db_buff, sizeof(db_buff)-1,
                              system_charset_info,
-                             db, strlen(db),
+                             db, db_len,
                              thd->charset(), &dummy_errors)]= 0;
     db= db_buff;
   }
@@ -1588,7 +1595,17 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
   {
     char *db, *tbl_name;
     uint db_len= *(uchar*) packet;
+    if (db_len >= packet_length || db_len > NAME_LEN)
+    {
+      my_message(ER_UNKNOWN_COM_ERROR, ER(ER_UNKNOWN_COM_ERROR), MYF(0));
+      break;
+    }
     uint tbl_len= *(uchar*) (packet + db_len + 1);
+    if (db_len+tbl_len+2 > packet_length || tbl_len > NAME_LEN)
+    {
+      my_message(ER_UNKNOWN_COM_ERROR, ER(ER_UNKNOWN_COM_ERROR), MYF(0));
+      break;
+    }
 
     statistic_increment(thd->status_var.com_other, &LOCK_status);
     thd->enable_slow_log= opt_log_slow_admin_statements;