From 9fc5122471a0a919bfeff750b9af2f07ec422668 Mon Sep 17 00:00:00 2001 From: Venkata Sidagam Date: Wed, 16 Oct 2013 14:14:44 +0530 Subject: [PATCH] Bug#16900358 FIX FOR CVE-2012-5611 IS INCOMPLETE Description: Fix for bug CVE-2012-5611 (bug 67685) is incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and check_grant_db() can be overflown by up to two bytes. That's probably not enough to do anything more serious than crashing mysqld. Analysis: In acl_get() when "copy_length" is calculated it just adding the variable lengths. But when we are using them with strmov() we are adding +1 to each. This will lead to a three byte buffer overflow (i.e two +1's at strmov() and one byte for the null added by strmov() function). Similarly it happens for check_grant_db() function as well. Fix: We need to add "+2" to "copy_length" in acl_get() and "+1" to "copy_length" in check_grant_db(). --- sql/sql_acl.cc | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 2458a7120da..cf150439391 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -1363,7 +1363,8 @@ ulong acl_get(const char *host, const char *ip, copy_length= (size_t) (strlen(ip ? ip : "") + strlen(user ? user : "") + - strlen(db ? db : "")); + strlen(db ? db : "")) + 2; /* Added 2 at the end to avoid + buffer overflow at strmov()*/ /* Make sure that strmov() operations do not result in buffer overflow. */ @@ -4353,7 +4354,8 @@ bool check_grant_db(THD *thd,const char *db) size_t copy_length; copy_length= (size_t) (strlen(sctx->priv_user ? sctx->priv_user : "") + - strlen(db ? db : "")); + strlen(db ? db : "")) + 1; /* Added 1 at the end to avoid + buffer overflow at strmov()*/ /* Make sure that strmov() operations do not result in buffer overflow.