BUG#18779944: MYSQLDUMP BUFFER OVERFLOW
Mysqldump overflows stack buffer when copying table name from commandline arguments resulting in stack corruption and ability to execute arbitrary code. Fix: Check length of all positional arguments passed to mysqldump is smaller than NAME_LEN. Note: Mysqldump heavily depends on that database objects (databases, tablespaces, tables, etc) are limited to small size (now it is 64).
This commit is contained in:
Marcin Babij
parent
5111df0814
commit
220c9332bf
@ -5538,19 +5538,36 @@ int main(int argc, char **argv)
|
|||||||
dump_all_tablespaces();
|
dump_all_tablespaces();
|
||||||
dump_all_databases();
|
dump_all_databases();
|
||||||
}
|
}
|
||||||
else if (argc > 1 && !opt_databases)
|
|
||||||
{
|
|
||||||
/* Only one database and selected table(s) */
|
|
||||||
if (!opt_alltspcs && !opt_notspcs)
|
|
||||||
dump_tablespaces_for_tables(*argv, (argv + 1), (argc -1));
|
|
||||||
dump_selected_tables(*argv, (argv + 1), (argc - 1));
|
|
||||||
}
|
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
/* One or more databases, all tables */
|
// Check all arguments meet length condition. Currently database and table
|
||||||
if (!opt_alltspcs && !opt_notspcs)
|
// names are limited to NAME_LEN bytes and stack-based buffers assumes
|
||||||
dump_tablespaces_for_databases(argv);
|
// that escaped name will be not longer than NAME_LEN*2 + 2 bytes long.
|
||||||
dump_databases(argv);
|
int argument;
|
||||||
|
for (argument= 0; argument < argc; argument++)
|
||||||
|
{
|
||||||
|
size_t argument_length= strlen(argv[argument]);
|
||||||
|
if (argument_length > NAME_LEN)
|
||||||
|
{
|
||||||
|
die(EX_CONSCHECK, "[ERROR] Argument '%s' is too long, it cannot be "
|
||||||
|
"name for any table or database.\n", argv[argument]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if (argc > 1 && !opt_databases)
|
||||||
|
{
|
||||||
|
/* Only one database and selected table(s) */
|
||||||
|
if (!opt_alltspcs && !opt_notspcs)
|
||||||
|
dump_tablespaces_for_tables(*argv, (argv + 1), (argc - 1));
|
||||||
|
dump_selected_tables(*argv, (argv + 1), (argc - 1));
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
/* One or more databases, all tables */
|
||||||
|
if (!opt_alltspcs && !opt_notspcs)
|
||||||
|
dump_tablespaces_for_databases(argv);
|
||||||
|
dump_databases(argv);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/* if --dump-slave , start the slave sql thread */
|
/* if --dump-slave , start the slave sql thread */
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user