Bug#31669 Buffer overflow in mysql_change_user()

The problem is that when copying the supplied username and database, no bounds checking is performed on the fixed-length buffer. A sufficiently large (> 512) user string can easily cause stack corruption. Since this API can be used from PHP and other programs, this is a serious problem. The solution is to increase the buffer size to the accepted size in similar functions and perform bounds checking when copying the username and database. libmysql/libmysql.c: Increase the buffer size and perform bounds checking when copying the supplied arguments. tests/mysql_client_test.c: Add test case for Bug#31669
2025-06-12 01:53:02 +03:00 · 2007-10-23 09:05:39 -03:00
parent d927461052
commit 22e972ffeb
2 changed files with 98 additions and 3 deletions
--- a/libmysql/libmysql.c
+++ b/libmysql/libmysql.c
@ -706,7 +706,8 @@ int cli_read_change_user_result(MYSQL *mysql, char *buff, const char *passwd)
 my_bool	STDCALL mysql_change_user(MYSQL *mysql, const char *user,
 				  const char *passwd, const char *db)
 {
-  char buff[512],*end=buff;
+  char buff[USERNAME_LENGTH+SCRAMBLED_PASSWORD_CHAR_LENGTH+NAME_LEN+2];
+  char *end= buff;
  int rc;
  DBUG_ENTER("mysql_change_user");

@ -716,7 +717,7 @@ my_bool	STDCALL mysql_change_user(MYSQL *mysql, const char *user,
    passwd="";

  /* Store user into the buffer */
-  end=strmov(end,user)+1;
+  end= strmake(end, user, USERNAME_LENGTH) + 1;

  /* write scrambled password according to server capabilities */
  if (passwd[0])
@ -736,7 +737,7 @@ my_bool	STDCALL mysql_change_user(MYSQL *mysql, const char *user,
  else
    *end++= '\0';                               /* empty password */
  /* Add database if needed */
-  end= strmov(end, db ? db : "") + 1;
+  end= strmake(end, db ? db : "", NAME_LEN) + 1;

  /* Write authentication package */
  simple_command(mysql,COM_CHANGE_USER, buff,(ulong) (end-buff),1);