From 17d716c9c67f17cb4a9cb94ab9091ba2ab38254a Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Thu, 7 Jul 2011 22:37:38 +0200 Subject: [PATCH 1/4] protocol safety fix: before strlen(db) we need to be sure that db lies within packet boundaries --- sql/sql_connect.cc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/sql/sql_connect.cc b/sql/sql_connect.cc index ec0f65e3c58..59a18477259 100644 --- a/sql/sql_connect.cc +++ b/sql/sql_connect.cc @@ -893,16 +893,17 @@ static int check_connection(THD *thd) (uchar)(*passwd++) : strlen(passwd); db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ? db + passwd_len + 1 : 0; - /* strlen() can't be easily deleted without changing protocol */ - uint db_len= db ? strlen(db) : 0; - if (passwd + passwd_len + db_len > (char *)net->read_pos + pkt_len) + if (passwd + passwd_len + test(db) > (char *)net->read_pos + pkt_len) { inc_host_errors(&thd->remote.sin_addr); my_error(ER_HANDSHAKE_ERROR, MYF(0), thd->main_security_ctx.host_or_ip); return 1; } + /* strlen() can't be easily deleted without changing protocol */ + uint db_len= db ? strlen(db) : 0; + /* Since 4.1 all database names are stored in utf8 */ if (db) { From d25f8cdc55e20436190aec6ea9dcf7403012c02e Mon Sep 17 00:00:00 2001 From: Vladislav Vaintroub Date: Sun, 10 Jul 2011 12:27:42 +0200 Subject: [PATCH 2/4] LPBUG#808233: Undefined uint in typelib.h Fix is to replace uint in public header with unsigned int. uint is not guaranteed to be defined by system headers. --- include/typelib.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/typelib.h b/include/typelib.h index a5ac5cc7bbf..16c719e3419 100644 --- a/include/typelib.h +++ b/include/typelib.h @@ -29,7 +29,7 @@ typedef struct st_typelib { /* Different types saved here */ extern my_ulonglong find_typeset(char *x, TYPELIB *typelib,int *error_position); extern int find_type_with_warning(const char *x, TYPELIB *typelib, const char *option); -extern uint find_type_or_exit(const char *x, TYPELIB *typelib, +extern unsigned int find_type_or_exit(const char *x, TYPELIB *typelib, const char *option); extern int find_type(char *x, const TYPELIB *typelib, unsigned int full_name); extern void make_type(char *to,unsigned int nr,TYPELIB *typelib); From 3d4ff9a239d0749dcc7e8c7857c4b2fc3b17f255 Mon Sep 17 00:00:00 2001 From: Vladislav Vaintroub Date: Sun, 10 Jul 2011 13:38:15 +0200 Subject: [PATCH 3/4] Post-fix for LP808233 : replace uint with "unsigned int" in mysql.h.pp, too --- include/mysql.h.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mysql.h.pp b/include/mysql.h.pp index 86ca04fe766..a3bce0e5506 100644 --- a/include/mysql.h.pp +++ b/include/mysql.h.pp @@ -224,7 +224,7 @@ typedef struct st_typelib { extern my_ulonglong find_typeset(char *x, TYPELIB *typelib,int *error_position); extern int find_type_with_warning(const char *x, TYPELIB *typelib, const char *option); -extern uint find_type_or_exit(const char *x, TYPELIB *typelib, +extern unsigned int find_type_or_exit(const char *x, TYPELIB *typelib, const char *option); extern int find_type(char *x, const TYPELIB *typelib, unsigned int full_name); extern void make_type(char *to,unsigned int nr,TYPELIB *typelib); From 541469f7cbcbe73ea2f5e915e6fe3b94e2a8059f Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Tue, 12 Jul 2011 08:58:33 +0200 Subject: [PATCH 4/4] bugfix: create internal temporary tables in mysql_tmpdir, not in datadir --- sql/sql_select.cc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 63eba6b19e3..c7b14fbb675 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -10092,7 +10092,7 @@ create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List &fields, bool using_unique_constraint= 0; bool use_packed_rows= 0; bool not_all_columns= !(select_options & TMP_TABLE_ALL_COLUMNS); - char *tmpname,path[FN_REFLEN], tmp_table_name[50]; + char *tmpname,path[FN_REFLEN]; uchar *pos, *group_buff, *bitmaps; uchar *null_flags; Field **reg_field, **from_field, **default_field; @@ -10123,12 +10123,12 @@ create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List &fields, temp_pool_slot = bitmap_lock_set_next(&temp_pool); if (temp_pool_slot != MY_BIT_NONE) // we got a slot - sprintf(tmp_table_name, "%s_%lx_%i", tmp_file_prefix, + sprintf(path, "%s_%lx_%i", tmp_file_prefix, current_pid, temp_pool_slot); else { /* if we run out of slots or we are not using tempool */ - sprintf(tmp_table_name, "%s%lx_%lx_%x", tmp_file_prefix,current_pid, + sprintf(path, "%s%lx_%lx_%x", tmp_file_prefix,current_pid, thd->thread_id, thd->tmp_table++); } @@ -10136,7 +10136,7 @@ create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List &fields, No need to change table name to lower case as we are only creating MyISAM, Maria or HEAP tables here */ - fn_format(path, tmp_table_name, mysql_tmpdir, "", + fn_format(path, path, mysql_tmpdir, "", MY_REPLACE_EXT|MY_UNPACK_FILENAME); if (group) @@ -10183,7 +10183,7 @@ create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List &fields, sizeof(*key_part_info)*(param->group_parts+1), ¶m->start_recinfo, sizeof(*param->recinfo)*(field_count*2+4), - &tmpname, (uint) strlen(tmp_table_name)+1, + &tmpname, (uint) strlen(path)+1, &group_buff, (group && ! using_unique_constraint ? param->group_length : 0), &bitmaps, bitmap_buffer_size(field_count)*2, @@ -10202,7 +10202,7 @@ create_tmp_table(THD *thd,TMP_TABLE_PARAM *param,List &fields, DBUG_RETURN(NULL); /* purecov: inspected */ } param->items_to_copy= copy_func; - strmov(tmpname, tmp_table_name); + strmov(tmpname, path); /* make table according to fields */ bzero((char*) table,sizeof(*table));