1
0
mirror of https://github.com/MariaDB/server.git synced 2025-10-25 18:38:00 +03:00

MDEV-34205: ASAN stack buffer overflow in strxnmov() in frm_file_exists

Correct the second parameter for strxnmov to prevent potential buffer
overflows. The second parameter must be one less than the size of the
input buffer to avoid writing past the end of the buffer.

While the second parameter is usually correct, there are exceptions
that need fixing.

This commit addresses the issue within frm_file_exists() and other
affected places.
This commit is contained in:
Vladislav Vaintroub
2024-05-21 16:03:13 +02:00
parent 7c4c082349
commit 736449d30f
7 changed files with 16 additions and 5 deletions

View File

@@ -256,3 +256,8 @@ drop database mysqltest;
Warnings:
Note 1008 Can't drop database 'mysqltest'; database doesn't exist
set @@session.sql_if_exists=0;
#
# MDEV-34205 ASAN stack-buffer-overflow in strxnmov | frm_file_exists
#
DROP TABLE `##################################################_long`.`#################################################_long`;
ERROR 42S02: Unknown table '##################################################_long.#########################################...'

View File

@@ -361,3 +361,9 @@ drop table mysqltest.does_not_exists;
drop database mysqltest;
drop database mysqltest;
set @@session.sql_if_exists=0;
--echo #
--echo # MDEV-34205 ASAN stack-buffer-overflow in strxnmov | frm_file_exists
--echo #
--error ER_BAD_TABLE_ERROR
DROP TABLE `##################################################_long`.`#################################################_long`;

View File

@@ -4356,7 +4356,7 @@ void handler::print_error(int error, myf errflag)
if (error < HA_ERR_FIRST && bas_ext()[0])
{
char buff[FN_REFLEN];
strxnmov(buff, sizeof(buff),
strxnmov(buff, sizeof(buff)-1,
table_share->normalized_path.str, bas_ext()[0], NULL);
my_error(textno, errflag, buff, error);
}

View File

@@ -9564,7 +9564,7 @@ sql_kill_user(THD *thd, LEX_USER *user, killed_state state)
break;
case ER_KILL_DENIED_ERROR:
char buf[DEFINER_LENGTH+1];
strxnmov(buf, sizeof(buf), user->user.str, "@", user->host.str, NULL);
strxnmov(buf, sizeof(buf)-1, user->user.str, "@", user->host.str, NULL);
my_printf_error(ER_KILL_DENIED_ERROR, ER_THD(thd, ER_CANNOT_USER), MYF(0),
"KILL USER", buf);
break;

View File

@@ -1906,7 +1906,7 @@ bool mysql_write_frm(ALTER_PARTITION_PARAM_TYPE *lpt, uint flags)
*/
build_table_filename(path, sizeof(path) - 1, lpt->alter_info->db.str,
lpt->alter_info->table_name.str, "", 0);
strxnmov(frm_name, sizeof(frm_name), path, reg_ext, NullS);
strxnmov(frm_name, sizeof(frm_name)-1, path, reg_ext, NullS);
/*
When we are changing to use new frm file we need to ensure that we
don't collide with another thread in process to open the frm file.

View File

@@ -4655,7 +4655,7 @@ bool Sys_var_timestamp::on_check_access_session(THD *thd) const
break;
}
char buf[1024];
strxnmov(buf, sizeof(buf), "--secure-timestamp=",
strxnmov(buf, sizeof(buf)-1, "--secure-timestamp=",
secure_timestamp_levels[opt_secure_timestamp], NULL);
my_error(ER_OPTION_PREVENTS_STATEMENT, MYF(0), buf);
return true;

View File

@@ -13313,7 +13313,7 @@ ha_innobase::discard_or_import_tablespace(
static bool frm_file_exists(const char *path)
{
char buff[FN_REFLEN];
strxnmov(buff, FN_REFLEN, path, reg_ext, NullS);
strxnmov(buff, sizeof(buff)-1, path, reg_ext, NullS);
return !access(buff, F_OK);
}