1
0
mirror of https://github.com/MariaDB/server.git synced 2025-07-27 18:02:13 +03:00

Bug #15954872 "MAKE MDL SUBSYSTEM AND TABLE DEFINITION CACHE

ROBUST AGAINST BUGS IN CALLERS".

Both MDL subsystems and Table Definition Cache code assume 
that callers ensure that names of objects passed to them are 
not longer than NAME_LEN bytes. Unfortunately due to bugs in 
callers this assumption might be broken in some cases. As
result we get nasty bugs causing buffer overruns when we
construct MDL key or TDC key from object names.

This patch makes TDC code more robust against such bugs by 
ensuring that we always checking size of result buffer when
constructing TDC keys. This doesn't free its callers from 
ensuring that both db and table names are shorter than 
NAME_LEN bytes. But at least this steps prevents buffer 
overruns in case of bug in caller, replacing them with less 
harmful behavior.

This is 5.1-only version of patch.

This patch introduces new version of create_table_def_key()
helper function which constructs TDC key without risk of
result buffer overrun. Places in code that construct TDC keys 
were changed to use this function.

Also changed rm_temporary_table() and open_new_frm() functions
to avoid use of "unsafe" strmov() and strxmov() functions and 
use safer strnxmov() instead.
This commit is contained in:
Dmitry Lenev
2012-12-11 22:00:51 +04:00
parent a172c21265
commit 2e10e7c38e
4 changed files with 62 additions and 28 deletions

View File

@ -2708,8 +2708,8 @@ void Query_cache::invalidate_table(THD *thd, TABLE_LIST *table_list)
char key[MAX_DBKEY_LENGTH];
uint key_length;
key_length=(uint) (strmov(strmov(key,table_list->db)+1,
table_list->table_name) -key)+ 1;
key_length= create_table_def_key(key, table_list->db,
table_list->table_name);
// We don't store temporary tables => no key_length+=4 ...
invalidate_table(thd, (uchar *)key, key_length);
@ -2830,8 +2830,8 @@ Query_cache::register_tables_from_list(TABLE_LIST *tables_used,
DBUG_PRINT("qcache", ("view: %s db: %s",
tables_used->view_name.str,
tables_used->view_db.str));
key_length= (uint) (strmov(strmov(key, tables_used->view_db.str) + 1,
tables_used->view_name.str) - key) + 1;
key_length= create_table_def_key(key, tables_used->view_db.str,
tables_used->view_name.str);
/*
There are not callback function for for VIEWs
*/
@ -4062,8 +4062,9 @@ uint Query_cache::filename_2_table_key (char *key, const char *path,
*db_length= (filename - dbname) - 1;
DBUG_PRINT("qcache", ("table '%-.*s.%s'", *db_length, dbname, filename));
DBUG_RETURN((uint) (strmov(strmake(key, dbname, *db_length) + 1,
filename) -key) + 1);
DBUG_RETURN((uint) (strmake(strmake(key, dbname,
min(*db_length, NAME_LEN)) + 1,
filename, NAME_LEN) - key) + 1);
}
/****************************************************************************